Vulnerability-Lookup

Vendor	Product	Description
SUSE	N/A	SUSE Linux Enterprise Micro for Rancher 5.2
SUSE	N/A	SUSE Linux Enterprise Server High Availability Extension 16.0
SUSE	N/A	SUSE Linux Enterprise Server 11 SP4
SUSE	N/A	SUSE Linux Micro 6.2
SUSE	N/A	SUSE Linux Enterprise Micro 5.2
SUSE	N/A	SUSE Linux Micro Extras 6.2
SUSE	N/A	SUSE Linux Enterprise Server for SAP Applications 16.0
SUSE	N/A	SUSE Linux Enterprise Server 16.0
SUSE	N/A	SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE
SUSE	N/A	openSUSE Leap 15.3

CVE-2025-40226 (GCVE-0-2025-40226)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31

Title

firmware: arm_scmi: Account for failed debug initialization

Summary

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d719ce9f286c43979…
	https://git.kernel.org/stable/c/e088efcd97cb7c729…
	https://git.kernel.org/stable/c/554c9d5c6c695aeda…
	https://git.kernel.org/stable/c/2290ab43b9d8eafb8…

Impacted products

Vendor

Product

Version

Linux

Affected: b38812942556819263256cb77fbdc9eae7aa5b1b , < d719ce9f286c439795cd2beee4c91f12b84bc5a0 (git)
Affected: 0b3d48c4726e1b20dffd2ff81a9d94d5d930220b , < e088efcd97cb7c7297d166bb52c3b87a29f6a0b1 (git)
Affected: 0b3d48c4726e1b20dffd2ff81a9d94d5d930220b , < 554c9d5c6c695aedaecfb4365c187102709397b0 (git)
Affected: 0b3d48c4726e1b20dffd2ff81a9d94d5d930220b , < 2290ab43b9d8eafb8046387f10a8dfa2b030ba46 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/arm_scmi/common.h",
            "drivers/firmware/arm_scmi/driver.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d719ce9f286c439795cd2beee4c91f12b84bc5a0",
              "status": "affected",
              "version": "b38812942556819263256cb77fbdc9eae7aa5b1b",
              "versionType": "git"
            },
            {
              "lessThan": "e088efcd97cb7c7297d166bb52c3b87a29f6a0b1",
              "status": "affected",
              "version": "0b3d48c4726e1b20dffd2ff81a9d94d5d930220b",
              "versionType": "git"
            },
            {
              "lessThan": "554c9d5c6c695aedaecfb4365c187102709397b0",
              "status": "affected",
              "version": "0b3d48c4726e1b20dffd2ff81a9d94d5d930220b",
              "versionType": "git"
            },
            {
              "lessThan": "2290ab43b9d8eafb8046387f10a8dfa2b030ba46",
              "status": "affected",
              "version": "0b3d48c4726e1b20dffd2ff81a9d94d5d930220b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/arm_scmi/common.h",
            "drivers/firmware/arm_scmi/driver.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "6.6.92",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Account for failed debug initialization\n\nWhen the SCMI debug subsystem fails to initialize, the related debug root\nwill be missing, and the underlying descriptor will be NULL.\n\nHandle this fault condition in the SCMI debug helpers that maintain\nmetrics counters."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T15:31:17.994Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d719ce9f286c439795cd2beee4c91f12b84bc5a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e088efcd97cb7c7297d166bb52c3b87a29f6a0b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/554c9d5c6c695aedaecfb4365c187102709397b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2290ab43b9d8eafb8046387f10a8dfa2b030ba46"
        }
      ],
      "title": "firmware: arm_scmi: Account for failed debug initialization",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40226",
    "datePublished": "2025-12-04T15:31:17.994Z",
    "dateReserved": "2025-04-16T07:20:57.180Z",
    "dateUpdated": "2025-12-04T15:31:17.994Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50884 (GCVE-0-2022-50884)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2026-01-02 15:05

Title

drm: Prevent drm_copy_field() to attempt copying a NULL pointer

Summary

In the Linux kernel, the following vulnerability has been resolved: drm: Prevent drm_copy_field() to attempt copying a NULL pointer There are some struct drm_driver fields that are required by drivers since drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION. But it can be possible that a driver has a bug and did not set some of the fields, which leads to drm_copy_field() attempting to copy a NULL pointer: [ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ +0.010955] Mem abort info: [ +0.002835] ESR = 0x0000000096000004 [ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits [ +0.005395] SET = 0, FnV = 0 [ +0.003113] EA = 0, S1PTW = 0 [ +0.003182] FSC = 0x04: level 0 translation fault [ +0.004964] Data abort info: [ +0.002919] ISV = 0, ISS = 0x00000004 [ +0.003886] CM = 0, WnR = 0 [ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000 [ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ +0.006925] Internal error: Oops: 96000004 [#1] SMP ... [ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ +0.007061] pc : __pi_strlen+0x14/0x150 [ +0.003895] lr : drm_copy_field+0x30/0x1a4 [ +0.004156] sp : ffff8000094b3a50 [ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040 [ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040 [ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000 [ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000 [ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40 [ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8 [ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141 [ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000 [ +0.007240] Call trace: [ +0.002475] __pi_strlen+0x14/0x150 [ +0.003537] drm_version+0x84/0xac [ +0.003448] drm_ioctl_kernel+0xa8/0x16c [ +0.003975] drm_ioctl+0x270/0x580 [ +0.003448] __arm64_sys_ioctl+0xb8/0xfc [ +0.003978] invoke_syscall+0x78/0x100 [ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4 [ +0.004767] do_el0_svc+0x38/0x4c [ +0.003357] el0_svc+0x34/0x100 [ +0.003185] el0t_64_sync_handler+0x11c/0x150 [ +0.004418] el0t_64_sync+0x190/0x194 [ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02) [ +0.006180] ---[ end trace 0000000000000000 ]---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d213914386a0ede76…
	https://git.kernel.org/stable/c/ee9885cd936aad88f…
	https://git.kernel.org/stable/c/8052612b9d08048eb…
	https://git.kernel.org/stable/c/cdde55f97298e5bb9…
	https://git.kernel.org/stable/c/c28a8082b25ce4ec9…
	https://git.kernel.org/stable/c/ca163e389f0ae096a…
	https://git.kernel.org/stable/c/2d6708ea5c2033ff5…
	https://git.kernel.org/stable/c/6cf5e9356b2d85640…
	https://git.kernel.org/stable/c/f6ee30407e8830424…

Impacted products

Vendor

Product

Version

Linux

Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < d213914386a0ede76a4549b41de30192fb92c595 (git)
Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < ee9885cd936aad88f84d0cf90bf9a70e83e42a97 (git)
Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < 8052612b9d08048ebbebcb572894670b4ac07d2f (git)
Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < cdde55f97298e5bb9af6d41c9303a3ec545a370e (git)
Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < c28a8082b25ce4ec94999e10a30c50d20bd44a25 (git)
Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < ca163e389f0ae096a4e1e19f0a95e60ed80b4e31 (git)
Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < 2d6708ea5c2033ff53267feff1876a717689989f (git)
Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < 6cf5e9356b2d856403ee480f987f3ea64dbf8d8c (git)
Affected: 22eae947bf76e236ba972f2f11cfd1b083b736ad , < f6ee30407e883042482ad4ad30da5eaba47872ee (git)

Linux

Affected: 2.6.16
Unaffected: 0 , < 2.6.16 (semver)
Unaffected: 4.9.331 , ≤ 4.9.* (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/drm_ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d213914386a0ede76a4549b41de30192fb92c595",
              "status": "affected",
              "version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
              "versionType": "git"
            },
            {
              "lessThan": "ee9885cd936aad88f84d0cf90bf9a70e83e42a97",
              "status": "affected",
              "version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
              "versionType": "git"
            },
            {
              "lessThan": "8052612b9d08048ebbebcb572894670b4ac07d2f",
              "status": "affected",
              "version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
              "versionType": "git"
            },
            {
              "lessThan": "cdde55f97298e5bb9af6d41c9303a3ec545a370e",
              "status": "affected",
              "version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
              "versionType": "git"
            },
            {
              "lessThan": "c28a8082b25ce4ec94999e10a30c50d20bd44a25",
              "status": "affected",
              "version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
              "versionType": "git"
            },
            {
              "lessThan": "ca163e389f0ae096a4e1e19f0a95e60ed80b4e31",
              "status": "affected",
              "version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
              "versionType": "git"
            },
            {
              "lessThan": "2d6708ea5c2033ff53267feff1876a717689989f",
              "status": "affected",
              "version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
              "versionType": "git"
            },
            {
              "lessThan": "6cf5e9356b2d856403ee480f987f3ea64dbf8d8c",
              "status": "affected",
              "version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
              "versionType": "git"
            },
            {
              "lessThan": "f6ee30407e883042482ad4ad30da5eaba47872ee",
              "status": "affected",
              "version": "22eae947bf76e236ba972f2f11cfd1b083b736ad",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/drm_ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.16"
            },
            {
              "lessThan": "2.6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.331",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.331",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Prevent drm_copy_field() to attempt copying a NULL pointer\n\nThere are some struct drm_driver fields that are required by drivers since\ndrm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION.\n\nBut it can be possible that a driver has a bug and did not set some of the\nfields, which leads to drm_copy_field() attempting to copy a NULL pointer:\n\n[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000\n[  +0.010955] Mem abort info:\n[  +0.002835]   ESR = 0x0000000096000004\n[  +0.003872]   EC = 0x25: DABT (current EL), IL = 32 bits\n[  +0.005395]   SET = 0, FnV = 0\n[  +0.003113]   EA = 0, S1PTW = 0\n[  +0.003182]   FSC = 0x04: level 0 translation fault\n[  +0.004964] Data abort info:\n[  +0.002919]   ISV = 0, ISS = 0x00000004\n[  +0.003886]   CM = 0, WnR = 0\n[  +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000\n[  +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n[  +0.006925] Internal error: Oops: 96000004 [#1] SMP\n...\n[  +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[  +0.007061] pc : __pi_strlen+0x14/0x150\n[  +0.003895] lr : drm_copy_field+0x30/0x1a4\n[  +0.004156] sp : ffff8000094b3a50\n[  +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040\n[  +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040\n[  +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000\n[  +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000\n[  +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40\n[  +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n[  +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8\n[  +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141\n[  +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n[  +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000\n[  +0.007240] Call trace:\n[  +0.002475]  __pi_strlen+0x14/0x150\n[  +0.003537]  drm_version+0x84/0xac\n[  +0.003448]  drm_ioctl_kernel+0xa8/0x16c\n[  +0.003975]  drm_ioctl+0x270/0x580\n[  +0.003448]  __arm64_sys_ioctl+0xb8/0xfc\n[  +0.003978]  invoke_syscall+0x78/0x100\n[  +0.003799]  el0_svc_common.constprop.0+0x4c/0xf4\n[  +0.004767]  do_el0_svc+0x38/0x4c\n[  +0.003357]  el0_svc+0x34/0x100\n[  +0.003185]  el0t_64_sync_handler+0x11c/0x150\n[  +0.004418]  el0t_64_sync+0x190/0x194\n[  +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02)\n[  +0.006180] ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:05:18.258Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d213914386a0ede76a4549b41de30192fb92c595"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee9885cd936aad88f84d0cf90bf9a70e83e42a97"
        },
        {
          "url": "https://git.kernel.org/stable/c/8052612b9d08048ebbebcb572894670b4ac07d2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdde55f97298e5bb9af6d41c9303a3ec545a370e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c28a8082b25ce4ec94999e10a30c50d20bd44a25"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca163e389f0ae096a4e1e19f0a95e60ed80b4e31"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d6708ea5c2033ff53267feff1876a717689989f"
        },
        {
          "url": "https://git.kernel.org/stable/c/6cf5e9356b2d856403ee480f987f3ea64dbf8d8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6ee30407e883042482ad4ad30da5eaba47872ee"
        }
      ],
      "title": "drm: Prevent drm_copy_field() to attempt copying a NULL pointer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50884",
    "datePublished": "2025-12-30T12:34:11.390Z",
    "dateReserved": "2025-12-30T12:26:05.425Z",
    "dateUpdated": "2026-01-02T15:05:18.258Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68256 (GCVE-0-2025-68256)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-01-11 16:29

Title

staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser

Summary

In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or, depending on the pattern, an infinite loop. Fix by validating that (offset + 2 + len) does not exceed the limit before accepting the IE or advancing to the next element. This prevents OOB reads and ensures the parser terminates safely on malformed frames.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b977eb31802817f4a…
	https://git.kernel.org/stable/c/30c558447e90935f0…
	https://git.kernel.org/stable/c/a54e2b2db1b7de2e0…
	https://git.kernel.org/stable/c/df191dd9f4c7249d9…
	https://git.kernel.org/stable/c/c0d93d69e1472ba75…
	https://git.kernel.org/stable/c/154828bf9559b9c84…

Impacted products

Vendor

Product

Version

Linux

Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < b977eb31802817f4a37da95bf16bfdaa1eeb5fc2 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 30c558447e90935f0de61be181bbcedf75952e00 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < a54e2b2db1b7de2e008b4f62eec35aaefcc663c5 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < df191dd9f4c7249d98ada55634fa8ac19089b8cb (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < c0d93d69e1472ba75b78898979b90a98ba2a2501 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 154828bf9559b9c8421fc2f0d7f7f76b3683aaed (git)

Linux

Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.62 , ≤ 6.12.* (semver)
Unaffected: 6.17.12 , ≤ 6.17.* (semver)
Unaffected: 6.18.1 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/rtl8723bs/core/rtw_ieee80211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b977eb31802817f4a37da95bf16bfdaa1eeb5fc2",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "30c558447e90935f0de61be181bbcedf75952e00",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "a54e2b2db1b7de2e008b4f62eec35aaefcc663c5",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "df191dd9f4c7249d98ada55634fa8ac19089b8cb",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "c0d93d69e1472ba75b78898979b90a98ba2a2501",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "154828bf9559b9c8421fc2f0d7f7f76b3683aaed",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/rtl8723bs/core/rtw_ieee80211.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.62",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.62",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.12",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.1",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser\n\nThe Information Element (IE) parser rtw_get_ie() trusted the length\nbyte of each IE without validating that the IE body (len bytes after\nthe 2-byte header) fits inside the remaining frame buffer. A malformed\nframe can advertise an IE length larger than the available data, causing\nthe parser to increment its pointer beyond the buffer end. This results\nin out-of-bounds reads or, depending on the pattern, an infinite loop.\n\nFix by validating that (offset + 2 + len) does not exceed the limit\nbefore accepting the IE or advancing to the next element.\n\nThis prevents OOB reads and ensures the parser terminates safely on\nmalformed frames."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:29:30.947Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b977eb31802817f4a37da95bf16bfdaa1eeb5fc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/30c558447e90935f0de61be181bbcedf75952e00"
        },
        {
          "url": "https://git.kernel.org/stable/c/a54e2b2db1b7de2e008b4f62eec35aaefcc663c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/df191dd9f4c7249d98ada55634fa8ac19089b8cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0d93d69e1472ba75b78898979b90a98ba2a2501"
        },
        {
          "url": "https://git.kernel.org/stable/c/154828bf9559b9c8421fc2f0d7f7f76b3683aaed"
        }
      ],
      "title": "staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68256",
    "datePublished": "2025-12-16T14:44:58.829Z",
    "dateReserved": "2025-12-16T13:41:40.267Z",
    "dateUpdated": "2026-01-11T16:29:30.947Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40215 (GCVE-0-2025-40215)

Vulnerability from cvelistv5 – Published: 2025-12-04 12:38 – Updated: 2026-01-19 12:18

Title

xfrm: delete x->tunnel as we delete x

Summary

In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state synchronously on net exit path") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we currently drop dst")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1b28a7fae0128fa14…
	https://git.kernel.org/stable/c/4b2c17d0f9be8b58b…
	https://git.kernel.org/stable/c/0da961fa46da1b37e…
	https://git.kernel.org/stable/c/d0e0d109711846146…
	https://git.kernel.org/stable/c/dc3636912d4177046…
	https://git.kernel.org/stable/c/b441cf3f8c4b85766…

Impacted products

Vendor

Product

Version

Linux

Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 1b28a7fae0128fa140a7dccd995182ff6cd1c67b (git)
Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 4b2c17d0f9be8b58bb30468bc81a4b61c985b04e (git)
Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < 0da961fa46da1b37ef868d9b603bd202136f8f8e (git)
Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < d0e0d1097118461463b76562c7ebaabaa5b90b13 (git)
Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < dc3636912d41770466543623cb76e7b88fdb42c7 (git)
Affected: 9d4139c76905833afcb77fe8ccc17f302a0eb9ab , < b441cf3f8c4b8576639d20c8eb4aa32917602ecd (git)

Linux

Affected: 2.6.29
Unaffected: 0 , < 2.6.29 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.62 , ≤ 6.12.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/xfrm.h",
            "net/ipv4/ipcomp.c",
            "net/ipv6/ipcomp6.c",
            "net/ipv6/xfrm6_tunnel.c",
            "net/xfrm/xfrm_ipcomp.c",
            "net/xfrm/xfrm_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b28a7fae0128fa140a7dccd995182ff6cd1c67b",
              "status": "affected",
              "version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
              "versionType": "git"
            },
            {
              "lessThan": "4b2c17d0f9be8b58bb30468bc81a4b61c985b04e",
              "status": "affected",
              "version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
              "versionType": "git"
            },
            {
              "lessThan": "0da961fa46da1b37ef868d9b603bd202136f8f8e",
              "status": "affected",
              "version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
              "versionType": "git"
            },
            {
              "lessThan": "d0e0d1097118461463b76562c7ebaabaa5b90b13",
              "status": "affected",
              "version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
              "versionType": "git"
            },
            {
              "lessThan": "dc3636912d41770466543623cb76e7b88fdb42c7",
              "status": "affected",
              "version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
              "versionType": "git"
            },
            {
              "lessThan": "b441cf3f8c4b8576639d20c8eb4aa32917602ecd",
              "status": "affected",
              "version": "9d4139c76905833afcb77fe8ccc17f302a0eb9ab",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/xfrm.h",
            "net/ipv4/ipcomp.c",
            "net/ipv6/ipcomp6.c",
            "net/ipv6/xfrm6_tunnel.c",
            "net/xfrm/xfrm_ipcomp.c",
            "net/xfrm/xfrm_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.62",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.62",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: delete x-\u003etunnel as we delete x\n\nThe ipcomp fallback tunnels currently get deleted (from the various\nlists and hashtables) as the last user state that needed that fallback\nis destroyed (not deleted). If a reference to that user state still\nexists, the fallback state will remain on the hashtables/lists,\ntriggering the WARN in xfrm_state_fini. Because of those remaining\nreferences, the fix in commit f75a2804da39 (\"xfrm: destroy xfrm_state\nsynchronously on net exit path\") is not complete.\n\nWe recently fixed one such situation in TCP due to defered freeing of\nskbs (commit 9b6412e6979f (\"tcp: drop secpath at the same time as we\ncurrently drop dst\")). This can also happen due to IP reassembly: skbs\nwith a secpath remain on the reassembly queue until netns\ndestruction. If we can\u0027t guarantee that the queues are flushed by the\ntime xfrm_state_fini runs, there may still be references to a (user)\nxfrm_state, preventing the timely deletion of the corresponding\nfallback state.\n\nInstead of chasing each instance of skbs holding a secpath one by one,\nthis patch fixes the issue directly within xfrm, by deleting the\nfallback state as soon as the last user state depending on it has been\ndeleted. Destruction will still happen when the final reference is\ndropped.\n\nA separate lockdep class for the fallback state is required since\nwe\u0027re going to lock x-\u003etunnel while x is locked."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:05.674Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b28a7fae0128fa140a7dccd995182ff6cd1c67b"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b2c17d0f9be8b58bb30468bc81a4b61c985b04e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0da961fa46da1b37ef868d9b603bd202136f8f8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0e0d1097118461463b76562c7ebaabaa5b90b13"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc3636912d41770466543623cb76e7b88fdb42c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/b441cf3f8c4b8576639d20c8eb4aa32917602ecd"
        }
      ],
      "title": "xfrm: delete x-\u003etunnel as we delete x",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40215",
    "datePublished": "2025-12-04T12:38:32.517Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2026-01-19T12:18:05.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40231 (GCVE-0-2025-40231)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31

Title

vsock: fix lock inversion in vsock_assign_transport()

Summary

In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b ("vsock: Fix transport_* TOCTOU") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ce4f856c64f0bc30e…
	https://git.kernel.org/stable/c/09bba278ccde25a14…
	https://git.kernel.org/stable/c/b44182c116778feaa…
	https://git.kernel.org/stable/c/42ed0784d11adebf7…
	https://git.kernel.org/stable/c/251caee792a21eb0b…
	https://git.kernel.org/stable/c/a2a4346eea8b4cb75…
	https://git.kernel.org/stable/c/f7c877e7535260cc7…

Impacted products

Vendor

Product

Version

Linux

Affected: 8667e8d0eb46bc54fdae30ba2f4786407d3d88eb , < ce4f856c64f0bc30e29302a0ce41f4295ca391c5 (git)
Affected: 36a439049b34cca0b3661276049b84a1f76cc21a , < 09bba278ccde25a14b6e5088a9e65a8717d0cccf (git)
Affected: 9ce53e744f18e73059d3124070e960f3aa9902bf , < b44182c116778feaa05da52a426aeb9da1878dcf (git)
Affected: 9d24bb6780282b0255b9929abe5e8f98007e2c6e , < 42ed0784d11adebf748711e503af0eb9f1e6d81d (git)
Affected: ae2c712ba39c7007de63cb0c75b51ce1caaf1da5 , < 251caee792a21eb0b781aab91362b422c945e162 (git)
Affected: 687aa0c5581b8d4aa87fd92973e4ee576b550cdf , < a2a4346eea8b4cb75037dbcb20b98cb454324f80 (git)
Affected: 687aa0c5581b8d4aa87fd92973e4ee576b550cdf , < f7c877e7535260cc7a21484c994e8ce7e8cb6780 (git)
Affected: 7b73bddf54777fb62d4d8c7729d0affe6df04477 (git)

Linux

Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.196 , ≤ 5.15.* (semver)
Unaffected: 6.1.158 , ≤ 6.1.* (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ce4f856c64f0bc30e29302a0ce41f4295ca391c5",
              "status": "affected",
              "version": "8667e8d0eb46bc54fdae30ba2f4786407d3d88eb",
              "versionType": "git"
            },
            {
              "lessThan": "09bba278ccde25a14b6e5088a9e65a8717d0cccf",
              "status": "affected",
              "version": "36a439049b34cca0b3661276049b84a1f76cc21a",
              "versionType": "git"
            },
            {
              "lessThan": "b44182c116778feaa05da52a426aeb9da1878dcf",
              "status": "affected",
              "version": "9ce53e744f18e73059d3124070e960f3aa9902bf",
              "versionType": "git"
            },
            {
              "lessThan": "42ed0784d11adebf748711e503af0eb9f1e6d81d",
              "status": "affected",
              "version": "9d24bb6780282b0255b9929abe5e8f98007e2c6e",
              "versionType": "git"
            },
            {
              "lessThan": "251caee792a21eb0b781aab91362b422c945e162",
              "status": "affected",
              "version": "ae2c712ba39c7007de63cb0c75b51ce1caaf1da5",
              "versionType": "git"
            },
            {
              "lessThan": "a2a4346eea8b4cb75037dbcb20b98cb454324f80",
              "status": "affected",
              "version": "687aa0c5581b8d4aa87fd92973e4ee576b550cdf",
              "versionType": "git"
            },
            {
              "lessThan": "f7c877e7535260cc7a21484c994e8ce7e8cb6780",
              "status": "affected",
              "version": "687aa0c5581b8d4aa87fd92973e4ee576b550cdf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7b73bddf54777fb62d4d8c7729d0affe6df04477",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "5.10.240",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "5.15.189",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "6.1.146",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "6.6.99",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.12.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.15.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: fix lock inversion in vsock_assign_transport()\n\nSyzbot reported a potential lock inversion deadlock between\nvsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called.\n\nThe issue was introduced by commit 687aa0c5581b (\"vsock: Fix\ntransport_* TOCTOU\") which added vsock_register_mutex locking in\nvsock_assign_transport() around the transport-\u003erelease() call, that can\ncall vsock_linger(). vsock_assign_transport() can be called with sk_lock\nheld. vsock_linger() calls sk_wait_event() that temporarily releases and\nre-acquires sk_lock. During this window, if another thread hold\nvsock_register_mutex while trying to acquire sk_lock, a circular\ndependency is created.\n\nFix this by releasing vsock_register_mutex before calling\ntransport-\u003erelease() and vsock_deassign_transport(). This is safe\nbecause we don\u0027t need to hold vsock_register_mutex while releasing the\nold transport, and we ensure the new transport won\u0027t disappear by\nobtaining a module reference first via try_module_get()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T15:31:22.199Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ce4f856c64f0bc30e29302a0ce41f4295ca391c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/09bba278ccde25a14b6e5088a9e65a8717d0cccf"
        },
        {
          "url": "https://git.kernel.org/stable/c/b44182c116778feaa05da52a426aeb9da1878dcf"
        },
        {
          "url": "https://git.kernel.org/stable/c/42ed0784d11adebf748711e503af0eb9f1e6d81d"
        },
        {
          "url": "https://git.kernel.org/stable/c/251caee792a21eb0b781aab91362b422c945e162"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2a4346eea8b4cb75037dbcb20b98cb454324f80"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7c877e7535260cc7a21484c994e8ce7e8cb6780"
        }
      ],
      "title": "vsock: fix lock inversion in vsock_assign_transport()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40231",
    "datePublished": "2025-12-04T15:31:22.199Z",
    "dateReserved": "2025-04-16T07:20:57.180Z",
    "dateUpdated": "2025-12-04T15:31:22.199Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50840 (GCVE-0-2022-50840)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2025-12-30 12:10

Title

scsi: snic: Fix possible UAF in snic_tgt_create()

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: snic: Fix possible UAF in snic_tgt_create() Smatch reports a warning as follows: drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn: '&tgt->list' not removed from list If device_add() fails in snic_tgt_create(), tgt will be freed, but tgt->list will not be removed from snic->disc.tgt_list, then list traversal may cause UAF. Remove from snic->disc.tgt_list before free().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f9d8b8ba0f1a16cde…
	https://git.kernel.org/stable/c/3772319e40527e6a5…
	https://git.kernel.org/stable/c/3007f96ca20c848d0…
	https://git.kernel.org/stable/c/6866154c23fba4088…
	https://git.kernel.org/stable/c/ad27f74e901fc4872…
	https://git.kernel.org/stable/c/1895e908b3ae66a53…
	https://git.kernel.org/stable/c/c7f0f8dab1ae5def5…
	https://git.kernel.org/stable/c/4141cd9e8b3379aea…
	https://git.kernel.org/stable/c/e118df492320176af…

Impacted products

Vendor

Product

Version

Linux

Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < f9d8b8ba0f1a16cde0b1fc9e80466df76b6db8ff (git)
Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < 3772319e40527e6a5f2ec1d729e01f271d818f5c (git)
Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < 3007f96ca20c848d0b1b052df6d2cb5ae5586e78 (git)
Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < 6866154c23fba40888ad6d554cccd4bf2edb755e (git)
Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < ad27f74e901fc48729733c88818e6b96c813057d (git)
Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < 1895e908b3ae66a5312fd1b2cdda2da82993dca7 (git)
Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < c7f0f8dab1ae5def57c1a8a9cafd6fabe1dc27cc (git)
Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < 4141cd9e8b3379aea52a85d2c35f6eaf26d14e86 (git)
Affected: c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa , < e118df492320176af94deec000ae034cc92be754 (git)

Linux

Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 4.9.337 , ≤ 4.9.* (semver)
Unaffected: 4.14.303 , ≤ 4.14.* (semver)
Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.86 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/snic/snic_disc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f9d8b8ba0f1a16cde0b1fc9e80466df76b6db8ff",
              "status": "affected",
              "version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
              "versionType": "git"
            },
            {
              "lessThan": "3772319e40527e6a5f2ec1d729e01f271d818f5c",
              "status": "affected",
              "version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
              "versionType": "git"
            },
            {
              "lessThan": "3007f96ca20c848d0b1b052df6d2cb5ae5586e78",
              "status": "affected",
              "version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
              "versionType": "git"
            },
            {
              "lessThan": "6866154c23fba40888ad6d554cccd4bf2edb755e",
              "status": "affected",
              "version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
              "versionType": "git"
            },
            {
              "lessThan": "ad27f74e901fc48729733c88818e6b96c813057d",
              "status": "affected",
              "version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
              "versionType": "git"
            },
            {
              "lessThan": "1895e908b3ae66a5312fd1b2cdda2da82993dca7",
              "status": "affected",
              "version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
              "versionType": "git"
            },
            {
              "lessThan": "c7f0f8dab1ae5def57c1a8a9cafd6fabe1dc27cc",
              "status": "affected",
              "version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
              "versionType": "git"
            },
            {
              "lessThan": "4141cd9e8b3379aea52a85d2c35f6eaf26d14e86",
              "status": "affected",
              "version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
              "versionType": "git"
            },
            {
              "lessThan": "e118df492320176af94deec000ae034cc92be754",
              "status": "affected",
              "version": "c8806b6c9e824f47726f2a9b7fbbe7ebf19306fa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/snic/snic_disc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.337",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.303",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.337",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.303",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.86",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: snic: Fix possible UAF in snic_tgt_create()\n\nSmatch reports a warning as follows:\n\ndrivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn:\n  \u0027\u0026tgt-\u003elist\u0027 not removed from list\n\nIf device_add() fails in snic_tgt_create(), tgt will be freed, but\ntgt-\u003elist will not be removed from snic-\u003edisc.tgt_list, then list traversal\nmay cause UAF.\n\nRemove from snic-\u003edisc.tgt_list before free()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:10:59.066Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f9d8b8ba0f1a16cde0b1fc9e80466df76b6db8ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/3772319e40527e6a5f2ec1d729e01f271d818f5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3007f96ca20c848d0b1b052df6d2cb5ae5586e78"
        },
        {
          "url": "https://git.kernel.org/stable/c/6866154c23fba40888ad6d554cccd4bf2edb755e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad27f74e901fc48729733c88818e6b96c813057d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1895e908b3ae66a5312fd1b2cdda2da82993dca7"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7f0f8dab1ae5def57c1a8a9cafd6fabe1dc27cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/4141cd9e8b3379aea52a85d2c35f6eaf26d14e86"
        },
        {
          "url": "https://git.kernel.org/stable/c/e118df492320176af94deec000ae034cc92be754"
        }
      ],
      "title": "scsi: snic: Fix possible UAF in snic_tgt_create()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50840",
    "datePublished": "2025-12-30T12:10:59.066Z",
    "dateReserved": "2025-12-30T12:06:07.133Z",
    "dateUpdated": "2025-12-30T12:10:59.066Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40339 (GCVE-0-2025-40339)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52

Title

drm/amdgpu: fix nullptr err of vm_handle_moved

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/47281febebe337586…
	https://git.kernel.org/stable/c/273d1ea12e42e9bab…
	https://git.kernel.org/stable/c/859958a7faefe5b77…

Impacted products

Vendor

Product

Version

Linux

Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 47281febebe337586569aa4c5694a7511063a42e (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 273d1ea12e42e9babb9783837906f3c466f213d3 (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 859958a7faefe5b7742b7b8cdbc170713d4bf158 (git)

Linux

Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "47281febebe337586569aa4c5694a7511063a42e",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "273d1ea12e42e9babb9783837906f3c466f213d3",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "859958a7faefe5b7742b7b8cdbc170713d4bf158",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix nullptr err of vm_handle_moved\n\nIf a amdgpu_bo_va is fpriv-\u003eprt_va, the bo of this one is always NULL.\nSo, such kind of amdgpu_bo_va should be updated separately before\namdgpu_vm_handle_moved."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:52:10.207Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/47281febebe337586569aa4c5694a7511063a42e"
        },
        {
          "url": "https://git.kernel.org/stable/c/273d1ea12e42e9babb9783837906f3c466f213d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/859958a7faefe5b7742b7b8cdbc170713d4bf158"
        }
      ],
      "title": "drm/amdgpu: fix nullptr err of vm_handle_moved",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40339",
    "datePublished": "2025-12-09T04:09:55.697Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-20T08:52:10.207Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68301 (GCVE-0-2025-68301)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

net: atlantic: fix fragment overflow handling in RX path

Summary

In the Linux kernel, the following vulnerability has been resolved: net: atlantic: fix fragment overflow handling in RX path The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17) fragments when handling large multi-descriptor packets. This causes an out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic. The issue occurs because the driver doesn't check the total number of fragments before calling skb_add_rx_frag(). When a packet requires more than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds. Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for. And reusing the existing check to prevent the overflow earlier in the code path. This crash occurred in production with an Aquantia AQC113 10G NIC. Stack trace from production environment: ``` RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0 Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89 ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90 c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48 89 fa 83 RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287 RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX: fffffffe0a0c8000 RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI: 0000000000037a40 RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000021 R10: 0000000000000848 R11: 0000000000000000 R12: ffffa9bec02a8e24 R13: ffff925ad8615570 R14: 0000000000000000 R15: ffff925b22e80a00 FS: 0000000000000000(0000) GS:ffff925e47880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4: 0000000000f72ef0 PKRU: 55555554 Call Trace: <IRQ> aq_ring_rx_clean+0x175/0xe60 [atlantic] ? aq_ring_rx_clean+0x14d/0xe60 [atlantic] ? aq_ring_tx_clean+0xdf/0x190 [atlantic] ? kmem_cache_free+0x348/0x450 ? aq_vec_poll+0x81/0x1d0 [atlantic] ? __napi_poll+0x28/0x1c0 ? net_rx_action+0x337/0x420 ``` Changes in v4: - Add Fixes: tag to satisfy patch validation requirements. Changes in v3: - Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/34147477eeab24077…
	https://git.kernel.org/stable/c/b0c4d5135b04ea100…
	https://git.kernel.org/stable/c/5d6051ea1b0417ae2…
	https://git.kernel.org/stable/c/3be37c3c96b164623…
	https://git.kernel.org/stable/c/3fd2105e1b7e041cc…
	https://git.kernel.org/stable/c/64e47cd1fd631a21b…
	https://git.kernel.org/stable/c/5ffcb7b890f615412…

Impacted products

Vendor

Product

Version

Linux

Affected: cd66ab20a8f84474564a68fffffd37d998f6c340 , < 34147477eeab24077fcfe9649e282849347d760c (git)
Affected: 948ddbdc56636773401f2cb9c7a932eb9c43ccfd , < b0c4d5135b04ea100988e2458c98f2d8564cda16 (git)
Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 5d6051ea1b0417ae2f06a8440d22e48fbc8f8997 (git)
Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 3be37c3c96b16462394fcb8e15e757c691377038 (git)
Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 3fd2105e1b7e041cc24be151c9a31a14d5fc50ab (git)
Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 64e47cd1fd631a21bf5a630cebefec6c8fc381cd (git)
Affected: 6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f , < 5ffcb7b890f61541201461580bb6622ace405aec (git)
Affected: dd4fb02847e737cc38ca75e708b1a836fba45faf (git)

Linux

Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/aquantia/atlantic/aq_ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "34147477eeab24077fcfe9649e282849347d760c",
              "status": "affected",
              "version": "cd66ab20a8f84474564a68fffffd37d998f6c340",
              "versionType": "git"
            },
            {
              "lessThan": "b0c4d5135b04ea100988e2458c98f2d8564cda16",
              "status": "affected",
              "version": "948ddbdc56636773401f2cb9c7a932eb9c43ccfd",
              "versionType": "git"
            },
            {
              "lessThan": "5d6051ea1b0417ae2f06a8440d22e48fbc8f8997",
              "status": "affected",
              "version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
              "versionType": "git"
            },
            {
              "lessThan": "3be37c3c96b16462394fcb8e15e757c691377038",
              "status": "affected",
              "version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
              "versionType": "git"
            },
            {
              "lessThan": "3fd2105e1b7e041cc24be151c9a31a14d5fc50ab",
              "status": "affected",
              "version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
              "versionType": "git"
            },
            {
              "lessThan": "64e47cd1fd631a21bf5a630cebefec6c8fc381cd",
              "status": "affected",
              "version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
              "versionType": "git"
            },
            {
              "lessThan": "5ffcb7b890f61541201461580bb6622ace405aec",
              "status": "affected",
              "version": "6aecbba12b5c90b26dc062af3b9de8c4b3a2f19f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "dd4fb02847e737cc38ca75e708b1a836fba45faf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/aquantia/atlantic/aq_ring.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.10.118",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.15.42",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.17.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: fix fragment overflow handling in RX path\n\nThe atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)\nfragments when handling large multi-descriptor packets. This causes an\nout-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.\n\nThe issue occurs because the driver doesn\u0027t check the total number of\nfragments before calling skb_add_rx_frag(). When a packet requires more\nthan MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.\n\nFix by assuming there will be an extra frag if buff-\u003elen \u003e AQ_CFG_RX_HDR_SIZE,\nthen all fragments are accounted for. And reusing the existing check to\nprevent the overflow earlier in the code path.\n\nThis crash occurred in production with an Aquantia AQC113 10G NIC.\n\nStack trace from production environment:\n```\nRIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0\nCode: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89\nca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90\nc8 00 00 00 \u003c48\u003e 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48\n89 fa 83\nRSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287\nRAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:\nfffffffe0a0c8000\nRDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:\n0000000000037a40\nRBP: 0000000000000024 R08: 0000000000000000 R09:\n0000000000000021\nR10: 0000000000000848 R11: 0000000000000000 R12:\nffffa9bec02a8e24\nR13: ffff925ad8615570 R14: 0000000000000000 R15:\nffff925b22e80a00\nFS: 0000000000000000(0000)\nGS:ffff925e47880000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:\n0000000000f72ef0\nPKRU: 55555554\nCall Trace:\n\u003cIRQ\u003e\naq_ring_rx_clean+0x175/0xe60 [atlantic]\n? aq_ring_rx_clean+0x14d/0xe60 [atlantic]\n? aq_ring_tx_clean+0xdf/0x190 [atlantic]\n? kmem_cache_free+0x348/0x450\n? aq_vec_poll+0x81/0x1d0 [atlantic]\n? __napi_poll+0x28/0x1c0\n? net_rx_action+0x337/0x420\n```\n\nChanges in v4:\n- Add Fixes: tag to satisfy patch validation requirements.\n\nChanges in v3:\n- Fix by assuming there will be an extra frag if buff-\u003elen \u003e AQ_CFG_RX_HDR_SIZE,\n  then all fragments are accounted for."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:19.688Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/34147477eeab24077fcfe9649e282849347d760c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0c4d5135b04ea100988e2458c98f2d8564cda16"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d6051ea1b0417ae2f06a8440d22e48fbc8f8997"
        },
        {
          "url": "https://git.kernel.org/stable/c/3be37c3c96b16462394fcb8e15e757c691377038"
        },
        {
          "url": "https://git.kernel.org/stable/c/3fd2105e1b7e041cc24be151c9a31a14d5fc50ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/64e47cd1fd631a21bf5a630cebefec6c8fc381cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ffcb7b890f61541201461580bb6622ace405aec"
        }
      ],
      "title": "net: atlantic: fix fragment overflow handling in RX path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68301",
    "datePublished": "2025-12-16T15:06:19.688Z",
    "dateReserved": "2025-12-16T14:48:05.293Z",
    "dateUpdated": "2025-12-16T15:06:19.688Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40266 (GCVE-0-2025-40266)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-20 08:51

Title

KVM: arm64: Check the untrusted offset in FF-A memory share

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Check the untrusted offset in FF-A memory share Verify the offset to prevent OOB access in the hypervisor FF-A buffer in case an untrusted large enough value [U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX] is set from the host kernel.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fc3139d9f4c1fe1c7…
	https://git.kernel.org/stable/c/bc1909ef38788f2ee…
	https://git.kernel.org/stable/c/f9f1aed6c8a342790…
	https://git.kernel.org/stable/c/103e17aac09cdd358…

Impacted products

Vendor

Product

Version

Linux

Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041 (git)
Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < bc1909ef38788f2ee3d8011d70bf029948433051 (git)
Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < f9f1aed6c8a3427900da3121e1868124854569c3 (git)
Affected: 6211753fdfd05af9e08f54c8d0ba3ee516034878 , < 103e17aac09cdd358133f9e00998b75d6c1f1518 (git)

Linux

Affected: 3.11
Unaffected: 0 , < 3.11 (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kvm/hyp/nvhe/ffa.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041",
              "status": "affected",
              "version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
              "versionType": "git"
            },
            {
              "lessThan": "bc1909ef38788f2ee3d8011d70bf029948433051",
              "status": "affected",
              "version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
              "versionType": "git"
            },
            {
              "lessThan": "f9f1aed6c8a3427900da3121e1868124854569c3",
              "status": "affected",
              "version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
              "versionType": "git"
            },
            {
              "lessThan": "103e17aac09cdd358133f9e00998b75d6c1f1518",
              "status": "affected",
              "version": "6211753fdfd05af9e08f54c8d0ba3ee516034878",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kvm/hyp/nvhe/ffa.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.11"
            },
            {
              "lessThan": "3.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Check the untrusted offset in FF-A memory share\n\nVerify the offset to prevent OOB access in the hypervisor\nFF-A buffer in case an untrusted large enough value\n[U32_MAX - sizeof(struct ffa_composite_mem_region) + 1, U32_MAX]\nis set from the host kernel."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:51:50.089Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fc3139d9f4c1fe1c7d5f25f99676bd8e9c6a1041"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc1909ef38788f2ee3d8011d70bf029948433051"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9f1aed6c8a3427900da3121e1868124854569c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/103e17aac09cdd358133f9e00998b75d6c1f1518"
        }
      ],
      "title": "KVM: arm64: Check the untrusted offset in FF-A memory share",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40266",
    "datePublished": "2025-12-04T16:08:25.392Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2025-12-20T08:51:50.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40256 (GCVE-0-2025-40256)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2026-01-19 12:18

Title

xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added

Summary

In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A "proper" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/57b72d74d4651dc19…
	https://git.kernel.org/stable/c/1dad653643f28ccc8…
	https://git.kernel.org/stable/c/64441724387b4ac92…
	https://git.kernel.org/stable/c/763e5c351206c1e4d…
	https://git.kernel.org/stable/c/f7d879c19d306512c…
	https://git.kernel.org/stable/c/d6fe5c740c573af10…
	https://git.kernel.org/stable/c/10deb69864840ccf9…

Impacted products

Vendor

Product

Version

Linux

Affected: 1b28a7fae0128fa140a7dccd995182ff6cd1c67b , < 57b72d74d4651dc19d046308a8304eb9abfe66ac (git)
Affected: 4b2c17d0f9be8b58bb30468bc81a4b61c985b04e , < 1dad653643f28ccc89be93f9440b8804cded85b2 (git)
Affected: 0da961fa46da1b37ef868d9b603bd202136f8f8e , < 64441724387b4ac92f67ef51caaaeffe99c950d1 (git)
Affected: d0e0d1097118461463b76562c7ebaabaa5b90b13 , < 763e5c351206c1e4d910db4a1159053f6263689c (git)
Affected: dc3636912d41770466543623cb76e7b88fdb42c7 , < f7d879c19d306512c2e260f37e8a3e5c85e37c50 (git)
Affected: b441cf3f8c4b8576639d20c8eb4aa32917602ecd , < d6fe5c740c573af10943b8353992e1325cdb2715 (git)
Affected: b441cf3f8c4b8576639d20c8eb4aa32917602ecd , < 10deb69864840ccf96b00ac2ab3a2055c0c04721 (git)

Linux

Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/xfrm/xfrm_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "57b72d74d4651dc19d046308a8304eb9abfe66ac",
              "status": "affected",
              "version": "1b28a7fae0128fa140a7dccd995182ff6cd1c67b",
              "versionType": "git"
            },
            {
              "lessThan": "1dad653643f28ccc89be93f9440b8804cded85b2",
              "status": "affected",
              "version": "4b2c17d0f9be8b58bb30468bc81a4b61c985b04e",
              "versionType": "git"
            },
            {
              "lessThan": "64441724387b4ac92f67ef51caaaeffe99c950d1",
              "status": "affected",
              "version": "0da961fa46da1b37ef868d9b603bd202136f8f8e",
              "versionType": "git"
            },
            {
              "lessThan": "763e5c351206c1e4d910db4a1159053f6263689c",
              "status": "affected",
              "version": "d0e0d1097118461463b76562c7ebaabaa5b90b13",
              "versionType": "git"
            },
            {
              "lessThan": "f7d879c19d306512c2e260f37e8a3e5c85e37c50",
              "status": "affected",
              "version": "dc3636912d41770466543623cb76e7b88fdb42c7",
              "versionType": "git"
            },
            {
              "lessThan": "d6fe5c740c573af10943b8353992e1325cdb2715",
              "status": "affected",
              "version": "b441cf3f8c4b8576639d20c8eb4aa32917602ecd",
              "versionType": "git"
            },
            {
              "lessThan": "10deb69864840ccf96b00ac2ab3a2055c0c04721",
              "status": "affected",
              "version": "b441cf3f8c4b8576639d20c8eb4aa32917602ecd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/xfrm/xfrm_state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added\n\nIn commit b441cf3f8c4b (\"xfrm: delete x-\u003etunnel as we delete x\"), I\nmissed the case where state creation fails between full\ninitialization (-\u003einit_state has been called) and being inserted on\nthe lists.\n\nIn this situation, -\u003einit_state has been called, so for IPcomp\ntunnels, the fallback tunnel has been created and added onto the\nlists, but the user state never gets added, because we fail before\nthat. The user state doesn\u0027t go through __xfrm_state_delete, so we\ndon\u0027t call xfrm_state_delete_tunnel for those states, and we end up\nleaking the FB tunnel.\n\nThere are several codepaths affected by this: the add/update paths, in\nboth net/key and xfrm, and the migrate code (xfrm_migrate,\nxfrm_state_migrate). A \"proper\" rollback of the init_state work would\nprobably be doable in the add/update code, but for migrate it gets\nmore complicated as multiple states may be involved.\n\nAt some point, the new (not-inserted) state will be destroyed, so call\nxfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states\nwill have their fallback tunnel cleaned up during __xfrm_state_delete,\nwhich solves the issue that b441cf3f8c4b (and other patches before it)\naimed at. All states (including FB tunnels) will be removed from the\nlists once xfrm_state_fini has called flush_work(\u0026xfrm_state_gc_work)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:06.846Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/57b72d74d4651dc19d046308a8304eb9abfe66ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/1dad653643f28ccc89be93f9440b8804cded85b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/64441724387b4ac92f67ef51caaaeffe99c950d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/763e5c351206c1e4d910db4a1159053f6263689c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7d879c19d306512c2e260f37e8a3e5c85e37c50"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6fe5c740c573af10943b8353992e1325cdb2715"
        },
        {
          "url": "https://git.kernel.org/stable/c/10deb69864840ccf96b00ac2ab3a2055c0c04721"
        }
      ],
      "title": "xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40256",
    "datePublished": "2025-12-04T16:08:17.756Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2026-01-19T12:18:06.846Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40307 (GCVE-0-2025-40307)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:51

Title

exfat: validate cluster allocation bits of the allocation bitmap

Summary

In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6bc58b4c53795ab5f…
	https://git.kernel.org/stable/c/13c1d24803d5b0446…
	https://git.kernel.org/stable/c/79c1587b6cda74deb…

Impacted products

Vendor

Product

Version

Linux

Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 6bc58b4c53795ab5fe00648344aa7d9d61175f90 (git)
Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 13c1d24803d5b0446b3f6f0fdd67e07ac1fdc7bf (git)
Affected: 1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 , < 79c1587b6cda74deb0c86fc7ba194b92958c793c (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/balloc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6bc58b4c53795ab5fe00648344aa7d9d61175f90",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            },
            {
              "lessThan": "13c1d24803d5b0446b3f6f0fdd67e07ac1fdc7bf",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            },
            {
              "lessThan": "79c1587b6cda74deb0c86fc7ba194b92958c793c",
              "status": "affected",
              "version": "1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/balloc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: validate cluster allocation bits of the allocation bitmap\n\nsyzbot created an exfat image with cluster bits not set for the allocation\nbitmap. exfat-fs reads and uses the allocation bitmap without checking\nthis. The problem is that if the start cluster of the allocation bitmap\nis 6, cluster 6 can be allocated when creating a directory with mkdir.\nexfat zeros out this cluster in exfat_mkdir, which can delete existing\nentries. This can reallocate the allocated entries. In addition,\nthe allocation bitmap is also zeroed out, so cluster 6 can be reallocated.\nThis patch adds exfat_test_bitmap_range to validate that clusters used for\nthe allocation bitmap are correctly marked as in-use."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:51:58.576Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6bc58b4c53795ab5fe00648344aa7d9d61175f90"
        },
        {
          "url": "https://git.kernel.org/stable/c/13c1d24803d5b0446b3f6f0fdd67e07ac1fdc7bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/79c1587b6cda74deb0c86fc7ba194b92958c793c"
        }
      ],
      "title": "exfat: validate cluster allocation bits of the allocation bitmap",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40307",
    "datePublished": "2025-12-08T00:46:32.659Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2025-12-20T08:51:58.576Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68235 (GCVE-0-2025-68235)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2025-12-16 14:08

Title

nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot

Summary

In the Linux kernel, the following vulnerability has been resolved: nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a kmemleak warning. Make sure this data is deallocated.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7d1977b4ae5c50e1a…
	https://git.kernel.org/stable/c/6492add9a3a163d5e…
	https://git.kernel.org/stable/c/2bba02a39bfb383bd…
	https://git.kernel.org/stable/c/949f1fd2225baefbe…

Impacted products

Vendor

Product

Version

Linux

Affected: 2541626cfb794e57ba0575a6920826f591f7ced0 , < 7d1977b4ae5c50e1aafc5c51500fc08bd7afd6a0 (git)
Affected: 2541626cfb794e57ba0575a6920826f591f7ced0 , < 6492add9a3a163d5e0390428d2636adc3e61b883 (git)
Affected: 2541626cfb794e57ba0575a6920826f591f7ced0 , < 2bba02a39bfb383bd1a95868d532c0917e38f9e7 (git)
Affected: 2541626cfb794e57ba0575a6920826f591f7ced0 , < 949f1fd2225baefbea2995afa807dba5cbdb6bd3 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nvkm/falcon/fw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7d1977b4ae5c50e1aafc5c51500fc08bd7afd6a0",
              "status": "affected",
              "version": "2541626cfb794e57ba0575a6920826f591f7ced0",
              "versionType": "git"
            },
            {
              "lessThan": "6492add9a3a163d5e0390428d2636adc3e61b883",
              "status": "affected",
              "version": "2541626cfb794e57ba0575a6920826f591f7ced0",
              "versionType": "git"
            },
            {
              "lessThan": "2bba02a39bfb383bd1a95868d532c0917e38f9e7",
              "status": "affected",
              "version": "2541626cfb794e57ba0575a6920826f591f7ced0",
              "versionType": "git"
            },
            {
              "lessThan": "949f1fd2225baefbea2995afa807dba5cbdb6bd3",
              "status": "affected",
              "version": "2541626cfb794e57ba0575a6920826f591f7ced0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nvkm/falcon/fw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot\n\nnvkm_falcon_fw::boot is allocated, but no one frees it. This causes a\nkmemleak warning.\n\nMake sure this data is deallocated."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T14:08:29.396Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7d1977b4ae5c50e1aafc5c51500fc08bd7afd6a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6492add9a3a163d5e0390428d2636adc3e61b883"
        },
        {
          "url": "https://git.kernel.org/stable/c/2bba02a39bfb383bd1a95868d532c0917e38f9e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/949f1fd2225baefbea2995afa807dba5cbdb6bd3"
        }
      ],
      "title": "nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68235",
    "datePublished": "2025-12-16T14:08:29.396Z",
    "dateReserved": "2025-12-16T13:41:40.258Z",
    "dateUpdated": "2025-12-16T14:08:29.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68317 (GCVE-0-2025-68317)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2026-01-02 15:34

Title

io_uring/zctx: check chained notif contexts

Summary

In the Linux kernel, the following vulnerability has been resolved: io_uring/zctx: check chained notif contexts Send zc only links ubuf_info for requests coming from the same context. There are some ambiguous syz reports, so let's check the assumption on notification completion.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/aaafd17d3f4be2c15…
	https://git.kernel.org/stable/c/d664a3ce3a604231a…
	https://git.kernel.org/stable/c/ab3ea6eac5f45669b…

Impacted products

Vendor

Product

Version

Linux

Affected: 6fe4220912d19152a26ce19713ab232f4263018d , < aaafd17d3f4be2c15539359a5b4bfa00237f687f (git)
Affected: 6fe4220912d19152a26ce19713ab232f4263018d , < d664a3ce3a604231a0b144c152a3755d03b18b60 (git)
Affected: 6fe4220912d19152a26ce19713ab232f4263018d , < ab3ea6eac5f45669b091309f592c4ea324003053 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "io_uring/notif.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "aaafd17d3f4be2c15539359a5b4bfa00237f687f",
              "status": "affected",
              "version": "6fe4220912d19152a26ce19713ab232f4263018d",
              "versionType": "git"
            },
            {
              "lessThan": "d664a3ce3a604231a0b144c152a3755d03b18b60",
              "status": "affected",
              "version": "6fe4220912d19152a26ce19713ab232f4263018d",
              "versionType": "git"
            },
            {
              "lessThan": "ab3ea6eac5f45669b091309f592c4ea324003053",
              "status": "affected",
              "version": "6fe4220912d19152a26ce19713ab232f4263018d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "io_uring/notif.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/zctx: check chained notif contexts\n\nSend zc only links ubuf_info for requests coming from the same context.\nThere are some ambiguous syz reports, so let\u0027s check the assumption on\nnotification completion."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:58.539Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/aaafd17d3f4be2c15539359a5b4bfa00237f687f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d664a3ce3a604231a0b144c152a3755d03b18b60"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab3ea6eac5f45669b091309f592c4ea324003053"
        }
      ],
      "title": "io_uring/zctx: check chained notif contexts",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68317",
    "datePublished": "2025-12-16T15:39:47.159Z",
    "dateReserved": "2025-12-16T14:48:05.295Z",
    "dateUpdated": "2026-01-02T15:34:58.539Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50821 (GCVE-0-2022-50821)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08

Title

SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails

Summary

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/76f2497a2faa6a4e9…
	https://git.kernel.org/stable/c/aa91afe597401b78b…
	https://git.kernel.org/stable/c/2cd6026e257362f03…
	https://git.kernel.org/stable/c/d01fa993eb7fbc305…
	https://git.kernel.org/stable/c/67eb848161c2799f2…
	https://git.kernel.org/stable/c/c9ded831e2552b9c3…
	https://git.kernel.org/stable/c/da522b5fe1a5f8b7c…

Impacted products

Vendor

Product

Version

Linux

Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < 76f2497a2faa6a4e91efb94a7f55705b403273fd (git)
Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < aa91afe597401b78baa7d751c71eedb92c80bd4d (git)
Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < 2cd6026e257362f030c8be57abaf7fc0049df60a (git)
Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < d01fa993eb7fbc305f0a9c3e8bfac6513efc13b6 (git)
Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < 67eb848161c2799f2007968ea3bc87adb15c9567 (git)
Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < c9ded831e2552b9c3cab7e2591a190e94f9d29c0 (git)
Affected: 030d794bf49855f5e2a9e8dfbfad34211d1eb08b , < da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.87 , ≤ 5.15.* (semver)
Unaffected: 6.0.17 , ≤ 6.0.* (semver)
Unaffected: 6.1.3 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/auth_gss/svcauth_gss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "76f2497a2faa6a4e91efb94a7f55705b403273fd",
              "status": "affected",
              "version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
              "versionType": "git"
            },
            {
              "lessThan": "aa91afe597401b78baa7d751c71eedb92c80bd4d",
              "status": "affected",
              "version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
              "versionType": "git"
            },
            {
              "lessThan": "2cd6026e257362f030c8be57abaf7fc0049df60a",
              "status": "affected",
              "version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
              "versionType": "git"
            },
            {
              "lessThan": "d01fa993eb7fbc305f0a9c3e8bfac6513efc13b6",
              "status": "affected",
              "version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
              "versionType": "git"
            },
            {
              "lessThan": "67eb848161c2799f2007968ea3bc87adb15c9567",
              "status": "affected",
              "version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
              "versionType": "git"
            },
            {
              "lessThan": "c9ded831e2552b9c3cab7e2591a190e94f9d29c0",
              "status": "affected",
              "version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
              "versionType": "git"
            },
            {
              "lessThan": "da522b5fe1a5f8b7c20a0023e87b52a150e53bf5",
              "status": "affected",
              "version": "030d794bf49855f5e2a9e8dfbfad34211d1eb08b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/auth_gss/svcauth_gss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.17",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.3",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Don\u0027t leak netobj memory when gss_read_proxy_verf() fails"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:08:35.564Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/76f2497a2faa6a4e91efb94a7f55705b403273fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa91afe597401b78baa7d751c71eedb92c80bd4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2cd6026e257362f030c8be57abaf7fc0049df60a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d01fa993eb7fbc305f0a9c3e8bfac6513efc13b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/67eb848161c2799f2007968ea3bc87adb15c9567"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9ded831e2552b9c3cab7e2591a190e94f9d29c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/da522b5fe1a5f8b7c20a0023e87b52a150e53bf5"
        }
      ],
      "title": "SUNRPC: Don\u0027t leak netobj memory when gss_read_proxy_verf() fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50821",
    "datePublished": "2025-12-30T12:08:35.564Z",
    "dateReserved": "2025-12-30T12:06:07.131Z",
    "dateUpdated": "2025-12-30T12:08:35.564Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68353 (GCVE-0-2025-68353)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32

Title

net: vxlan: prevent NULL deref in vxlan_xmit_one

Summary

In the Linux kernel, the following vulnerability has been resolved: net: vxlan: prevent NULL deref in vxlan_xmit_one Neither sock4 nor sock6 pointers are guaranteed to be non-NULL in vxlan_xmit_one, e.g. if the iface is brought down. This can lead to the following NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:vxlan_xmit_one+0xbb3/0x1580 Call Trace: vxlan_xmit+0x429/0x610 dev_hard_start_xmit+0x55/0xa0 __dev_queue_xmit+0x6d0/0x7f0 ip_finish_output2+0x24b/0x590 ip_output+0x63/0x110 Mentioned commits changed the code path in vxlan_xmit_one and as a side effect the sock4/6 pointer validity checks in vxlan(6)_get_route were lost. Fix this by adding back checks. Since both commits being fixed were released in the same version (v6.7) and are strongly related, bundle the fixes in a single commit.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4ac26aafdc8c72714…
	https://git.kernel.org/stable/c/1f73a56f986005f0b…

Impacted products

Vendor

Product

Version

Linux

Affected: 6f19b2c136d98a84d79030b53e23d405edfdc783 , < 4ac26aafdc8c7271414e2e7c0b2cb266a26591bc (git)
Affected: 6f19b2c136d98a84d79030b53e23d405edfdc783 , < 1f73a56f986005f0bc64ed23873930e2ee4f5911 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/vxlan/vxlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4ac26aafdc8c7271414e2e7c0b2cb266a26591bc",
              "status": "affected",
              "version": "6f19b2c136d98a84d79030b53e23d405edfdc783",
              "versionType": "git"
            },
            {
              "lessThan": "1f73a56f986005f0bc64ed23873930e2ee4f5911",
              "status": "affected",
              "version": "6f19b2c136d98a84d79030b53e23d405edfdc783",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/vxlan/vxlan_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: vxlan: prevent NULL deref in vxlan_xmit_one\n\nNeither sock4 nor sock6 pointers are guaranteed to be non-NULL in\nvxlan_xmit_one, e.g. if the iface is brought down. This can lead to the\nfollowing NULL dereference:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000010\n  Oops: Oops: 0000 [#1] SMP NOPTI\n  RIP: 0010:vxlan_xmit_one+0xbb3/0x1580\n  Call Trace:\n   vxlan_xmit+0x429/0x610\n   dev_hard_start_xmit+0x55/0xa0\n   __dev_queue_xmit+0x6d0/0x7f0\n   ip_finish_output2+0x24b/0x590\n   ip_output+0x63/0x110\n\nMentioned commits changed the code path in vxlan_xmit_one and as a side\neffect the sock4/6 pointer validity checks in vxlan(6)_get_route were\nlost. Fix this by adding back checks.\n\nSince both commits being fixed were released in the same version (v6.7)\nand are strongly related, bundle the fixes in a single commit."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:32:44.068Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4ac26aafdc8c7271414e2e7c0b2cb266a26591bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f73a56f986005f0bc64ed23873930e2ee4f5911"
        }
      ],
      "title": "net: vxlan: prevent NULL deref in vxlan_xmit_one",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68353",
    "datePublished": "2025-12-24T10:32:44.068Z",
    "dateReserved": "2025-12-16T14:48:05.300Z",
    "dateUpdated": "2025-12-24T10:32:44.068Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68170 (GCVE-0-2025-68170)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42

Title

drm/radeon: Do not kfree() devres managed rdev

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Do not kfree() devres managed rdev Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() rdev is managed by devres and we shouldn't be calling kfree() on it. This fixes things exploding if the driver probe fails and devres cleans up the rdev after we already free'd it. (cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f7482516002a11317…
	https://git.kernel.org/stable/c/2413bbd1d692aed24…
	https://git.kernel.org/stable/c/3328443363a0895fd…

Impacted products

Vendor

Product

Version

Linux

Affected: a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < f7482516002a11317912e29577bbf33cf59a0fb1 (git)
Affected: a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < 2413bbd1d692aed245c2aa38a369a1fa7590db84 (git)
Affected: a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < 3328443363a0895fd9c096edfe8ecd372ca9145e (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/radeon/radeon_kms.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f7482516002a11317912e29577bbf33cf59a0fb1",
              "status": "affected",
              "version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
              "versionType": "git"
            },
            {
              "lessThan": "2413bbd1d692aed245c2aa38a369a1fa7590db84",
              "status": "affected",
              "version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
              "versionType": "git"
            },
            {
              "lessThan": "3328443363a0895fd9c096edfe8ecd372ca9145e",
              "status": "affected",
              "version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/radeon/radeon_kms.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Do not kfree() devres managed rdev\n\nSince the allocation of the drivers main structure was changed to\ndevm_drm_dev_alloc() rdev is managed by devres and we shouldn\u0027t be calling\nkfree() on it.\n\nThis fixes things exploding if the driver probe fails and devres cleans up\nthe rdev after we already free\u0027d it.\n\n(cherry picked from commit 16c0681617b8a045773d4d87b6140002fa75b03b)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:42:50.201Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f7482516002a11317912e29577bbf33cf59a0fb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2413bbd1d692aed245c2aa38a369a1fa7590db84"
        },
        {
          "url": "https://git.kernel.org/stable/c/3328443363a0895fd9c096edfe8ecd372ca9145e"
        }
      ],
      "title": "drm/radeon: Do not kfree() devres managed rdev",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68170",
    "datePublished": "2025-12-16T13:42:50.201Z",
    "dateReserved": "2025-12-16T13:41:40.251Z",
    "dateUpdated": "2025-12-16T13:42:50.201Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68255 (GCVE-0-2025-68255)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-01-19 12:18

Title

staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing

Summary

In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bounds check when merging Extended Supported Rates to prevent a second potential overflow. This prevents kernel stack corruption triggered by malformed association requests.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/49b7806851f93fd34…
	https://git.kernel.org/stable/c/4445adedae7700370…
	https://git.kernel.org/stable/c/d129dc2a5d59b4d9c…
	https://git.kernel.org/stable/c/34620eb602aa432f0…
	https://git.kernel.org/stable/c/61871c83259a51198…
	https://git.kernel.org/stable/c/25411f5fcf5743131…
	https://git.kernel.org/stable/c/e841d8ea722315b78…
	https://git.kernel.org/stable/c/6ef0e1c1045592786…

Impacted products

Vendor

Product

Version

Linux

Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 49b7806851f93fd342838c93f4f765e0cc5029b0 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 4445adedae770037078803d1ce41f9e88a1944b6 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 34620eb602aa432f090b2b784ee5c5070fb16cf9 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 61871c83259a511980ec2664964cecc69005398b (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 25411f5fcf5743131158f337c99c2bbf3f8477f5 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < e841d8ea722315b781c4fc5bf4f7670fbca88875 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 (git)

Linux

Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.62 , ≤ 6.12.* (semver)
Unaffected: 6.17.12 , ≤ 6.17.* (semver)
Unaffected: 6.18.1 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "49b7806851f93fd342838c93f4f765e0cc5029b0",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "4445adedae770037078803d1ce41f9e88a1944b6",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "34620eb602aa432f090b2b784ee5c5070fb16cf9",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "61871c83259a511980ec2664964cecc69005398b",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "25411f5fcf5743131158f337c99c2bbf3f8477f5",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "e841d8ea722315b781c4fc5bf4f7670fbca88875",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "6ef0e1c10455927867cac8f0ed6b49f328f8cf95",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.62",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.62",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.12",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.1",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing\n\nThe Supported Rates IE length from an incoming Association Request frame\nwas used directly as the memcpy() length when copying into a fixed-size\n16-byte stack buffer (supportRate). A malicious station can advertise an\nIE length larger than 16 bytes, causing a stack buffer overflow.\n\nClamp ie_len to the buffer size before copying the Supported Rates IE,\nand correct the bounds check when merging Extended Supported Rates to\nprevent a second potential overflow.\n\nThis prevents kernel stack corruption triggered by malformed association\nrequests."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:09.263Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/49b7806851f93fd342838c93f4f765e0cc5029b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/4445adedae770037078803d1ce41f9e88a1944b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d129dc2a5d59b4d9cd2cc0b6eeb04df8461199f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/34620eb602aa432f090b2b784ee5c5070fb16cf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/61871c83259a511980ec2664964cecc69005398b"
        },
        {
          "url": "https://git.kernel.org/stable/c/25411f5fcf5743131158f337c99c2bbf3f8477f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/e841d8ea722315b781c4fc5bf4f7670fbca88875"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ef0e1c10455927867cac8f0ed6b49f328f8cf95"
        }
      ],
      "title": "staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68255",
    "datePublished": "2025-12-16T14:44:58.031Z",
    "dateReserved": "2025-12-16T13:41:40.267Z",
    "dateUpdated": "2026-01-19T12:18:09.263Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40357 (GCVE-0-2025-40357)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-16 13:30

Title

net/smc: fix general protection fault in __smc_diag_dump

Summary

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix general protection fault in __smc_diag_dump The syzbot report a crash: Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f] CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline] RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89 Call Trace: <TASK> smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217 smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234 netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327 __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442 netlink_dump_start include/linux/netlink.h:341 [inline] smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251 __sock_diag_cmd net/core/sock_diag.c:249 [inline] sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg net/socket.c:729 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668 __sys_sendmsg+0x16d/0x220 net/socket.c:2700 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The process like this: (CPU1) | (CPU2) ---------------------------------|------------------------------- inet_create() | // init clcsock to NULL | sk = sk_alloc() | | // unexpectedly change clcsock | inet_init_csk_locks() | | // add sk to hash table | smc_inet_init_sock() | smc_sk_init() | smc_hash_sk() | | // traverse the hash table | smc_diag_dump_proto | __smc_diag_dump() | // visit wrong clcsock | smc_diag_msg_common_fill() // alloc clcsock | smc_create_clcsk | sock_create_kern | With CONFIG_DEBUG_LOCK_ALLOC=y, the smc->clcsock is unexpectedly changed in inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc, just remove it. After removing the INET_PROTOSW_ICSK flag, this patch alse revert commit 6fd27ea183c2 ("net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC") to avoid casting smc_sock to inet_connection_sock.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5b6fc95c4a1613265…
	https://git.kernel.org/stable/c/99b5b3faf3220ba1c…
	https://git.kernel.org/stable/c/f584239a9ed250574…

Impacted products

Vendor

Product

Version

Linux

Affected: d25a92ccae6bed02327b63d138e12e7806830f78 , < 5b6fc95c4a161326567bdf12a333768565b638f2 (git)
Affected: d25a92ccae6bed02327b63d138e12e7806830f78 , < 99b5b3faf3220ba1cdab8e6e42be4f3f993937c3 (git)
Affected: d25a92ccae6bed02327b63d138e12e7806830f78 , < f584239a9ed25057496bf397c370cc5163dde419 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_inet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5b6fc95c4a161326567bdf12a333768565b638f2",
              "status": "affected",
              "version": "d25a92ccae6bed02327b63d138e12e7806830f78",
              "versionType": "git"
            },
            {
              "lessThan": "99b5b3faf3220ba1cdab8e6e42be4f3f993937c3",
              "status": "affected",
              "version": "d25a92ccae6bed02327b63d138e12e7806830f78",
              "versionType": "git"
            },
            {
              "lessThan": "f584239a9ed25057496bf397c370cc5163dde419",
              "status": "affected",
              "version": "d25a92ccae6bed02327b63d138e12e7806830f78",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_inet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix general protection fault in __smc_diag_dump\n\nThe syzbot report a crash:\n\n  Oops: general protection fault, probably for non-canonical address 0xfbd5a5d5a0000003: 0000 [#1] SMP KASAN NOPTI\n  KASAN: maybe wild-memory-access in range [0xdead4ead00000018-0xdead4ead0000001f]\n  CPU: 1 UID: 0 PID: 6949 Comm: syz.0.335 Not tainted syzkaller #0 PREEMPT(full)\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\n  RIP: 0010:smc_diag_msg_common_fill net/smc/smc_diag.c:44 [inline]\n  RIP: 0010:__smc_diag_dump.constprop.0+0x3ca/0x2550 net/smc/smc_diag.c:89\n  Call Trace:\n   \u003cTASK\u003e\n   smc_diag_dump_proto+0x26d/0x420 net/smc/smc_diag.c:217\n   smc_diag_dump+0x27/0x90 net/smc/smc_diag.c:234\n   netlink_dump+0x539/0xd30 net/netlink/af_netlink.c:2327\n   __netlink_dump_start+0x6d6/0x990 net/netlink/af_netlink.c:2442\n   netlink_dump_start include/linux/netlink.h:341 [inline]\n   smc_diag_handler_dump+0x1f9/0x240 net/smc/smc_diag.c:251\n   __sock_diag_cmd net/core/sock_diag.c:249 [inline]\n   sock_diag_rcv_msg+0x438/0x790 net/core/sock_diag.c:285\n   netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552\n   netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n   netlink_unicast+0x5a7/0x870 net/netlink/af_netlink.c:1346\n   netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896\n   sock_sendmsg_nosec net/socket.c:714 [inline]\n   __sock_sendmsg net/socket.c:729 [inline]\n   ____sys_sendmsg+0xa95/0xc70 net/socket.c:2614\n   ___sys_sendmsg+0x134/0x1d0 net/socket.c:2668\n   __sys_sendmsg+0x16d/0x220 net/socket.c:2700\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n   \u003c/TASK\u003e\n\nThe process like this:\n\n               (CPU1)              |             (CPU2)\n  ---------------------------------|-------------------------------\n  inet_create()                    |\n    // init clcsock to NULL        |\n    sk = sk_alloc()                |\n                                   |\n    // unexpectedly change clcsock |\n    inet_init_csk_locks()          |\n                                   |\n    // add sk to hash table        |\n    smc_inet_init_sock()           |\n      smc_sk_init()                |\n        smc_hash_sk()              |\n                                   | // traverse the hash table\n                                   | smc_diag_dump_proto\n                                   |   __smc_diag_dump()\n                                   |     // visit wrong clcsock\n                                   |     smc_diag_msg_common_fill()\n    // alloc clcsock               |\n    smc_create_clcsk               |\n      sock_create_kern             |\n\nWith CONFIG_DEBUG_LOCK_ALLOC=y, the smc-\u003eclcsock is unexpectedly changed\nin inet_init_csk_locks(). The INET_PROTOSW_ICSK flag is no need by smc,\njust remove it.\n\nAfter removing the INET_PROTOSW_ICSK flag, this patch alse revert\ncommit 6fd27ea183c2 (\"net/smc: fix lacks of icsk_syn_mss with IPPROTO_SMC\")\nto avoid casting smc_sock to inet_connection_sock."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:30:29.758Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5b6fc95c4a161326567bdf12a333768565b638f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/99b5b3faf3220ba1cdab8e6e42be4f3f993937c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/f584239a9ed25057496bf397c370cc5163dde419"
        }
      ],
      "title": "net/smc: fix general protection fault in __smc_diag_dump",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40357",
    "datePublished": "2025-12-16T13:30:29.758Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-16T13:30:29.758Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40240 (GCVE-0-2025-40240)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31

Title

sctp: avoid NULL dereference when chunk data buffer is missing

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/61cda2777b07d2745…
	https://git.kernel.org/stable/c/08165c29659707576…
	https://git.kernel.org/stable/c/03e80a4b04ef1fb2c…
	https://git.kernel.org/stable/c/4f6da435fb5d8a21c…
	https://git.kernel.org/stable/c/cb9055ba30306ede4…
	https://git.kernel.org/stable/c/7a832b0f99be19df6…
	https://git.kernel.org/stable/c/89b465b54227c245d…
	https://git.kernel.org/stable/c/441f0647f7673e0e6…

Impacted products

Vendor

Product

Version

Linux

Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 61cda2777b07d27459f5cac5a047c3edf9c8a1a9 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 08165c296597075763130919f2aae59b5822f016 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < cb9055ba30306ede4ad920002233d0659982f1cb (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 7a832b0f99be19df608cb75c023f8027b1789bd1 (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 89b465b54227c245ddc7cc9ed822231af21123ef (git)
Affected: 90017accff61ae89283ad9a51f9ac46ca01633fb , < 441f0647f7673e0e64d4910ef61a5fb8f16bfb82 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.196 , ≤ 5.15.* (semver)
Unaffected: 6.1.158 , ≤ 6.1.* (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/inqueue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "61cda2777b07d27459f5cac5a047c3edf9c8a1a9",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "08165c296597075763130919f2aae59b5822f016",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "cb9055ba30306ede4ad920002233d0659982f1cb",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "7a832b0f99be19df608cb75c023f8027b1789bd1",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "89b465b54227c245ddc7cc9ed822231af21123ef",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            },
            {
              "lessThan": "441f0647f7673e0e64d4910ef61a5fb8f16bfb82",
              "status": "affected",
              "version": "90017accff61ae89283ad9a51f9ac46ca01633fb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/inqueue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: avoid NULL dereference when chunk data buffer is missing\n\nchunk-\u003eskb pointer is dereferenced in the if-block where it\u0027s supposed\nto be NULL only.\n\nchunk-\u003eskb can only be NULL if chunk-\u003ehead_skb is not. Check for frag_list\ninstead and do it just before replacing chunk-\u003eskb. We\u0027re sure that\notherwise chunk-\u003eskb is non-NULL because of outer if() condition."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T15:31:29.715Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/61cda2777b07d27459f5cac5a047c3edf9c8a1a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/08165c296597075763130919f2aae59b5822f016"
        },
        {
          "url": "https://git.kernel.org/stable/c/03e80a4b04ef1fb2c61dd63216ab8d3a5dcb196f"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f6da435fb5d8a21cbf8cae5ca5a2ba0e1012b71"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb9055ba30306ede4ad920002233d0659982f1cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a832b0f99be19df608cb75c023f8027b1789bd1"
        },
        {
          "url": "https://git.kernel.org/stable/c/89b465b54227c245ddc7cc9ed822231af21123ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/441f0647f7673e0e64d4910ef61a5fb8f16bfb82"
        }
      ],
      "title": "sctp: avoid NULL dereference when chunk data buffer is missing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40240",
    "datePublished": "2025-12-04T15:31:29.715Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-04T15:31:29.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40302 (GCVE-0-2025-40302)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

media: videobuf2: forbid remove_bufs when legacy fileio is active

Summary

In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent read/write calls.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a6a493b985bfffac0…
	https://git.kernel.org/stable/c/e819b34df0a7030a1…
	https://git.kernel.org/stable/c/27afd6e066cfd80dd…

Impacted products

Vendor

Product

Version

Linux

Affected: a3293a85381ec9680aa2929547fbc76c5d87a1b2 , < a6a493b985bfffac097a4e1be09f98b27729dca8 (git)
Affected: a3293a85381ec9680aa2929547fbc76c5d87a1b2 , < e819b34df0a7030a15c968d619fa8a3ed2455c7a (git)
Affected: a3293a85381ec9680aa2929547fbc76c5d87a1b2 , < 27afd6e066cfd80ddbe22a4a11b99174ac89cced (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/common/videobuf2/videobuf2-v4l2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a6a493b985bfffac097a4e1be09f98b27729dca8",
              "status": "affected",
              "version": "a3293a85381ec9680aa2929547fbc76c5d87a1b2",
              "versionType": "git"
            },
            {
              "lessThan": "e819b34df0a7030a15c968d619fa8a3ed2455c7a",
              "status": "affected",
              "version": "a3293a85381ec9680aa2929547fbc76c5d87a1b2",
              "versionType": "git"
            },
            {
              "lessThan": "27afd6e066cfd80ddbe22a4a11b99174ac89cced",
              "status": "affected",
              "version": "a3293a85381ec9680aa2929547fbc76c5d87a1b2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/common/videobuf2/videobuf2-v4l2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: videobuf2: forbid remove_bufs when legacy fileio is active\n\nvb2_ioctl_remove_bufs() call manipulates queue internal buffer list,\npotentially overwriting some pointers used by the legacy fileio access\nmode. Forbid that ioctl when fileio is active to protect internal queue\nstate between subsequent read/write calls."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:26.293Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a6a493b985bfffac097a4e1be09f98b27729dca8"
        },
        {
          "url": "https://git.kernel.org/stable/c/e819b34df0a7030a15c968d619fa8a3ed2455c7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/27afd6e066cfd80ddbe22a4a11b99174ac89cced"
        }
      ],
      "title": "media: videobuf2: forbid remove_bufs when legacy fileio is active",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40302",
    "datePublished": "2025-12-08T00:46:26.293Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2025-12-08T00:46:26.293Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40237 (GCVE-0-2025-40237)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-23 16:40

Title

fs/notify: call exportfs_encode_fid with s_umount

Summary

In the Linux kernel, the following vulnerability has been resolved: fs/notify: call exportfs_encode_fid with s_umount Calling intotify_show_fdinfo() on fd watching an overlayfs inode, while the overlayfs is being unmounted, can lead to dereferencing NULL ptr. This issue was found by syzkaller. Race Condition Diagram: Thread 1 Thread 2 -------- -------- generic_shutdown_super() shrink_dcache_for_umount sb->s_root = NULL | | vfs_read() | inotify_fdinfo() | * inode get from mark * | show_mark_fhandle(m, inode) | exportfs_encode_fid(inode, ..) | ovl_encode_fh(inode, ..) | ovl_check_encode_origin(inode) | * deref i_sb->s_root * | | v fsnotify_sb_delete(sb) Which then leads to: [ 32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none) <snip registers, unreliable trace> [ 32.143353] Call Trace: [ 32.143732] ovl_encode_fh+0xd5/0x170 [ 32.144031] exportfs_encode_inode_fh+0x12f/0x300 [ 32.144425] show_mark_fhandle+0xbe/0x1f0 [ 32.145805] inotify_fdinfo+0x226/0x2d0 [ 32.146442] inotify_show_fdinfo+0x1c5/0x350 [ 32.147168] seq_show+0x530/0x6f0 [ 32.147449] seq_read_iter+0x503/0x12a0 [ 32.148419] seq_read+0x31f/0x410 [ 32.150714] vfs_read+0x1f0/0x9e0 [ 32.152297] ksys_read+0x125/0x240 IOW ovl_check_encode_origin derefs inode->i_sb->s_root, after it was set to NULL in the unmount path. Fix it by protecting calling exportfs_encode_fid() from show_mark_fhandle() with s_umount lock. This form of fix was suggested by Amir in [1]. [1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/950b604384fd75d62…
	https://git.kernel.org/stable/c/bc1c6b803e14ea2b8…
	https://git.kernel.org/stable/c/3f307a9f7a7a2822e…
	https://git.kernel.org/stable/c/d1894bc542becb0fd…
	https://git.kernel.org/stable/c/a7c4bb43bfdc2b9f0…

Impacted products

Vendor

Product

Version

Linux

Affected: a1a541fbfa7e97c1100144db34b57553d7164ce5 , < 950b604384fd75d62e860bec7135b2b62eb4d508 (git)
Affected: f0c0ac84de17c37e6e84da65fb920f91dada55ad , < bc1c6b803e14ea2b8f7e33b7164013f666ceb656 (git)
Affected: 3c7c90274ae339e1ad443c9be1c67a20b80b9c76 , < 3f307a9f7a7a2822e38ac451b73e2244e7279496 (git)
Affected: c45beebfde34aa71afbc48b2c54cdda623515037 , < d1894bc542becb0fda61e7e513b09523cab44030 (git)
Affected: c45beebfde34aa71afbc48b2c54cdda623515037 , < a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.6.73 , ≤ 6.6.* (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/notify/fdinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "950b604384fd75d62e860bec7135b2b62eb4d508",
              "status": "affected",
              "version": "a1a541fbfa7e97c1100144db34b57553d7164ce5",
              "versionType": "git"
            },
            {
              "lessThan": "bc1c6b803e14ea2b8f7e33b7164013f666ceb656",
              "status": "affected",
              "version": "f0c0ac84de17c37e6e84da65fb920f91dada55ad",
              "versionType": "git"
            },
            {
              "lessThan": "3f307a9f7a7a2822e38ac451b73e2244e7279496",
              "status": "affected",
              "version": "3c7c90274ae339e1ad443c9be1c67a20b80b9c76",
              "versionType": "git"
            },
            {
              "lessThan": "d1894bc542becb0fda61e7e513b09523cab44030",
              "status": "affected",
              "version": "c45beebfde34aa71afbc48b2c54cdda623515037",
              "versionType": "git"
            },
            {
              "lessThan": "a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a",
              "status": "affected",
              "version": "c45beebfde34aa71afbc48b2c54cdda623515037",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/notify/fdinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.73",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.73",
                  "versionStartIncluding": "6.6.72",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "6.6.74",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.12.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/notify: call exportfs_encode_fid with s_umount\n\nCalling intotify_show_fdinfo() on fd watching an overlayfs inode, while\nthe overlayfs is being unmounted, can lead to dereferencing NULL ptr.\n\nThis issue was found by syzkaller.\n\nRace Condition Diagram:\n\nThread 1                           Thread 2\n--------                           --------\n\ngeneric_shutdown_super()\n shrink_dcache_for_umount\n  sb-\u003es_root = NULL\n\n                    |\n                    |             vfs_read()\n                    |              inotify_fdinfo()\n                    |               * inode get from mark *\n                    |               show_mark_fhandle(m, inode)\n                    |                exportfs_encode_fid(inode, ..)\n                    |                 ovl_encode_fh(inode, ..)\n                    |                  ovl_check_encode_origin(inode)\n                    |                   * deref i_sb-\u003es_root *\n                    |\n                    |\n                    v\n fsnotify_sb_delete(sb)\n\nWhich then leads to:\n\n[   32.133461] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI\n[   32.134438] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]\n[   32.135032] CPU: 1 UID: 0 PID: 4468 Comm: systemd-coredum Not tainted 6.17.0-rc6 #22 PREEMPT(none)\n\n\u003csnip registers, unreliable trace\u003e\n\n[   32.143353] Call Trace:\n[   32.143732]  ovl_encode_fh+0xd5/0x170\n[   32.144031]  exportfs_encode_inode_fh+0x12f/0x300\n[   32.144425]  show_mark_fhandle+0xbe/0x1f0\n[   32.145805]  inotify_fdinfo+0x226/0x2d0\n[   32.146442]  inotify_show_fdinfo+0x1c5/0x350\n[   32.147168]  seq_show+0x530/0x6f0\n[   32.147449]  seq_read_iter+0x503/0x12a0\n[   32.148419]  seq_read+0x31f/0x410\n[   32.150714]  vfs_read+0x1f0/0x9e0\n[   32.152297]  ksys_read+0x125/0x240\n\nIOW ovl_check_encode_origin derefs inode-\u003ei_sb-\u003es_root, after it was set\nto NULL in the unmount path.\n\nFix it by protecting calling exportfs_encode_fid() from\nshow_mark_fhandle() with s_umount lock.\n\nThis form of fix was suggested by Amir in [1].\n\n[1]: https://lore.kernel.org/all/CAOQ4uxhbDwhb+2Brs1UdkoF0a3NSdBAOQPNfEHjahrgoKJpLEw@mail.gmail.com/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T16:40:14.296Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/950b604384fd75d62e860bec7135b2b62eb4d508"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc1c6b803e14ea2b8f7e33b7164013f666ceb656"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f307a9f7a7a2822e38ac451b73e2244e7279496"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1894bc542becb0fda61e7e513b09523cab44030"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7c4bb43bfdc2b9f06ee9d036028ed13a83df42a"
        }
      ],
      "title": "fs/notify: call exportfs_encode_fid with s_umount",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40237",
    "datePublished": "2025-12-04T15:31:27.325Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-23T16:40:14.296Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50703 (GCVE-0-2022-50703)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55

Title

soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()

Summary

In the Linux kernel, the following vulnerability has been resolved: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() There are two refcount leak bugs in qcom_smsm_probe(): (1) The 'local_node' is escaped out from for_each_child_of_node() as the break of iteration, we should call of_node_put() for it in error path or when it is not used anymore. (2) The 'node' is escaped out from for_each_available_child_of_node() as the 'goto', we should call of_node_put() for it in goto target.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1bbe75d466e5118b7…
	https://git.kernel.org/stable/c/bd4666bf5562fe8e8…
	https://git.kernel.org/stable/c/42df28994eba7b56c…
	https://git.kernel.org/stable/c/1e3ed59370c712df4…
	https://git.kernel.org/stable/c/39781c98ad46b4e85…
	https://git.kernel.org/stable/c/96e0028debdd07a6d…
	https://git.kernel.org/stable/c/8fb6112bd49c0e49f…
	https://git.kernel.org/stable/c/ee7fc83ce0e6986ff…
	https://git.kernel.org/stable/c/af8f6f39b8afd772f…

Impacted products

Vendor

Product

Version

Linux

Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 1bbe75d466e5118b7d49ef4a346c3ce5742da4e8 (git)
Affected: c97c4090ff72297a878a37715bd301624b71c885 , < bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43 (git)
Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 42df28994eba7b56c762f7bbe7efd5611a1cd15b (git)
Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 1e3ed59370c712df436791efed120f0c082aa9bc (git)
Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 39781c98ad46b4e85053345dff797240c1ed7935 (git)
Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 96e0028debdd07a6d582f0dfadf9a3ec2b5fffff (git)
Affected: c97c4090ff72297a878a37715bd301624b71c885 , < 8fb6112bd49c0e49f2cf51604231d85ff00284bb (git)
Affected: c97c4090ff72297a878a37715bd301624b71c885 , < ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d (git)
Affected: c97c4090ff72297a878a37715bd301624b71c885 , < af8f6f39b8afd772fda4f8e61823ef8c021bf382 (git)

Linux

Affected: 4.5
Unaffected: 0 , < 4.5 (semver)
Unaffected: 4.9.331 , ≤ 4.9.* (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/qcom/smsm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1bbe75d466e5118b7d49ef4a346c3ce5742da4e8",
              "status": "affected",
              "version": "c97c4090ff72297a878a37715bd301624b71c885",
              "versionType": "git"
            },
            {
              "lessThan": "bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43",
              "status": "affected",
              "version": "c97c4090ff72297a878a37715bd301624b71c885",
              "versionType": "git"
            },
            {
              "lessThan": "42df28994eba7b56c762f7bbe7efd5611a1cd15b",
              "status": "affected",
              "version": "c97c4090ff72297a878a37715bd301624b71c885",
              "versionType": "git"
            },
            {
              "lessThan": "1e3ed59370c712df436791efed120f0c082aa9bc",
              "status": "affected",
              "version": "c97c4090ff72297a878a37715bd301624b71c885",
              "versionType": "git"
            },
            {
              "lessThan": "39781c98ad46b4e85053345dff797240c1ed7935",
              "status": "affected",
              "version": "c97c4090ff72297a878a37715bd301624b71c885",
              "versionType": "git"
            },
            {
              "lessThan": "96e0028debdd07a6d582f0dfadf9a3ec2b5fffff",
              "status": "affected",
              "version": "c97c4090ff72297a878a37715bd301624b71c885",
              "versionType": "git"
            },
            {
              "lessThan": "8fb6112bd49c0e49f2cf51604231d85ff00284bb",
              "status": "affected",
              "version": "c97c4090ff72297a878a37715bd301624b71c885",
              "versionType": "git"
            },
            {
              "lessThan": "ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d",
              "status": "affected",
              "version": "c97c4090ff72297a878a37715bd301624b71c885",
              "versionType": "git"
            },
            {
              "lessThan": "af8f6f39b8afd772fda4f8e61823ef8c021bf382",
              "status": "affected",
              "version": "c97c4090ff72297a878a37715bd301624b71c885",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/qcom/smsm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.331",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.331",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()\n\nThere are two refcount leak bugs in qcom_smsm_probe():\n\n(1) The \u0027local_node\u0027 is escaped out from for_each_child_of_node() as\nthe break of iteration, we should call of_node_put() for it in error\npath or when it is not used anymore.\n(2) The \u0027node\u0027 is escaped out from for_each_available_child_of_node()\nas the \u0027goto\u0027, we should call of_node_put() for it in goto target."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:55:18.548Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1bbe75d466e5118b7d49ef4a346c3ce5742da4e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd4666bf5562fe8e8e5e9bd6fc805d30e1767f43"
        },
        {
          "url": "https://git.kernel.org/stable/c/42df28994eba7b56c762f7bbe7efd5611a1cd15b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e3ed59370c712df436791efed120f0c082aa9bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/39781c98ad46b4e85053345dff797240c1ed7935"
        },
        {
          "url": "https://git.kernel.org/stable/c/96e0028debdd07a6d582f0dfadf9a3ec2b5fffff"
        },
        {
          "url": "https://git.kernel.org/stable/c/8fb6112bd49c0e49f2cf51604231d85ff00284bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee7fc83ce0e6986ff9b1c1d7e994fbbf8d43861d"
        },
        {
          "url": "https://git.kernel.org/stable/c/af8f6f39b8afd772fda4f8e61823ef8c021bf382"
        }
      ],
      "title": "soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50703",
    "datePublished": "2025-12-24T10:55:18.548Z",
    "dateReserved": "2025-12-24T10:53:15.518Z",
    "dateUpdated": "2025-12-24T10:55:18.548Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68254 (GCVE-0-2025-68254)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-01-19 12:18

Title

staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing

Summary

In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing The Extended Supported Rates (ESR) IE handling in OnBeacon accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets lie within the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could cause an out-of-bounds read, potentially triggering a kernel panic. Add a boundary check to ensure that the ESR IE body and the subsequent bytes are within the limits of the frame before attempting to access them. This prevents OOB reads caused by malformed beacon frames.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c03cb111628924827…
	https://git.kernel.org/stable/c/bb5940193d8134495…
	https://git.kernel.org/stable/c/c173ce97d3f0f0c0f…
	https://git.kernel.org/stable/c/d1ab7f9cee22e7b8a…
	https://git.kernel.org/stable/c/38292407c2bb5b2b3…
	https://git.kernel.org/stable/c/bf323db1d883c2098…
	https://git.kernel.org/stable/c/502ddcc405b69fa92…

Impacted products

Vendor

Product

Version

Linux

Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < c03cb111628924827351e19baa5b073e9b0d723d (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < bb5940193d813449540d8d3a82abc045be41f48a (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < c173ce97d3f0f0c0fefa39139d6d04ba60b5db22 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < d1ab7f9cee22e7b8a528da9ac953e4193b96cda5 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 38292407c2bb5b2b3131aaace4ecc7a829b40b76 (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < bf323db1d883c209880bd92f3b12503e3531c3fc (git)
Affected: 554c0a3abf216c991c5ebddcdb2c08689ecd290b , < 502ddcc405b69fa92e0add6c1714d654504f6fd7 (git)

Linux

Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.62 , ≤ 6.12.* (semver)
Unaffected: 6.17.12 , ≤ 6.17.* (semver)
Unaffected: 6.18.1 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c03cb111628924827351e19baa5b073e9b0d723d",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "bb5940193d813449540d8d3a82abc045be41f48a",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "c173ce97d3f0f0c0fefa39139d6d04ba60b5db22",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "d1ab7f9cee22e7b8a528da9ac953e4193b96cda5",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "38292407c2bb5b2b3131aaace4ecc7a829b40b76",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "bf323db1d883c209880bd92f3b12503e3531c3fc",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            },
            {
              "lessThan": "502ddcc405b69fa92e0add6c1714d654504f6fd7",
              "status": "affected",
              "version": "554c0a3abf216c991c5ebddcdb2c08689ecd290b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/rtl8723bs/core/rtw_mlme_ext.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.62",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.62",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.12",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.1",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing\n\nThe Extended Supported Rates (ESR) IE handling in OnBeacon accessed\n*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these\noffsets lie within the received frame buffer. A malformed beacon with\nan ESR IE positioned at the end of the buffer could cause an\nout-of-bounds read, potentially triggering a kernel panic.\n\nAdd a boundary check to ensure that the ESR IE body and the subsequent\nbytes are within the limits of the frame before attempting to access\nthem.\n\nThis prevents OOB reads caused by malformed beacon frames."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:08.032Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c03cb111628924827351e19baa5b073e9b0d723d"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb5940193d813449540d8d3a82abc045be41f48a"
        },
        {
          "url": "https://git.kernel.org/stable/c/c173ce97d3f0f0c0fefa39139d6d04ba60b5db22"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1ab7f9cee22e7b8a528da9ac953e4193b96cda5"
        },
        {
          "url": "https://git.kernel.org/stable/c/38292407c2bb5b2b3131aaace4ecc7a829b40b76"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf323db1d883c209880bd92f3b12503e3531c3fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/502ddcc405b69fa92e0add6c1714d654504f6fd7"
        }
      ],
      "title": "staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68254",
    "datePublished": "2025-12-16T14:44:57.204Z",
    "dateReserved": "2025-12-16T13:41:40.266Z",
    "dateUpdated": "2026-01-19T12:18:08.032Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40018 (GCVE-0-2025-40018)

Vulnerability from cvelistv5 – Published: 2025-10-24 11:44 – Updated: 2025-12-01 06:16

Title

ipvs: Defer ip_vs_ftp unregister during netns cleanup

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8a6ecab3847c213ce…
	https://git.kernel.org/stable/c/421b1ae1574dfdda6…
	https://git.kernel.org/stable/c/1d79471414d7b9424…
	https://git.kernel.org/stable/c/53717f8a4347b78ea…
	https://git.kernel.org/stable/c/8cbe2a21d85727b66…
	https://git.kernel.org/stable/c/dc1a481359a72ee7e…
	https://git.kernel.org/stable/c/a343811ef138a2654…
	https://git.kernel.org/stable/c/134121bfd99a06d44…

Impacted products

Vendor

Product

Version

Linux

Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 8a6ecab3847c213ce2855b0378e63ce839085de3 (git)
Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 421b1ae1574dfdda68b835c15ac4921ec0030182 (git)
Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 1d79471414d7b9424d699afff2aa79fff322f52d (git)
Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 53717f8a4347b78eac6488072ad8e5adbaff38d9 (git)
Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 8cbe2a21d85727b66d7c591fd5d83df0d8c4f757 (git)
Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < dc1a481359a72ee7e548f1f5da671282a7c13b8f (git)
Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < a343811ef138a265407167294275201621e9ebb2 (git)
Affected: 61b1ab4583e275af216c8454b9256de680499b19 , < 134121bfd99a06d44ef5ba15a9beb075297c0821 (git)

Linux

Affected: 2.6.39
Unaffected: 0 , < 2.6.39 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.156 , ≤ 6.1.* (semver)
Unaffected: 6.6.112 , ≤ 6.6.* (semver)
Unaffected: 6.12.53 , ≤ 6.12.* (semver)
Unaffected: 6.17.3 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_ftp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8a6ecab3847c213ce2855b0378e63ce839085de3",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "421b1ae1574dfdda68b835c15ac4921ec0030182",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "1d79471414d7b9424d699afff2aa79fff322f52d",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "53717f8a4347b78eac6488072ad8e5adbaff38d9",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "8cbe2a21d85727b66d7c591fd5d83df0d8c4f757",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "dc1a481359a72ee7e548f1f5da671282a7c13b8f",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "a343811ef138a265407167294275201621e9ebb2",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            },
            {
              "lessThan": "134121bfd99a06d44ef5ba15a9beb075297c0821",
              "status": "affected",
              "version": "61b1ab4583e275af216c8454b9256de680499b19",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_ftp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.39"
            },
            {
              "lessThan": "2.6.39",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.112",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.53",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.156",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.112",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.53",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.3",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: Defer ip_vs_ftp unregister during netns cleanup\n\nOn the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp\nbefore connections with valid cp-\u003eapp pointers are flushed, leading to a\nuse-after-free.\n\nFix this by introducing a global `exiting_module` flag, set to true in\nip_vs_ftp_exit() before unregistering the pernet subsystem. In\n__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns\ncleanup (when exiting_module is false) and defer it to\n__ip_vs_cleanup_batch(), which unregisters all apps after all connections\nare flushed. If called during module exit, unregister ip_vs_ftp\nimmediately."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:16:24.186Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8a6ecab3847c213ce2855b0378e63ce839085de3"
        },
        {
          "url": "https://git.kernel.org/stable/c/421b1ae1574dfdda68b835c15ac4921ec0030182"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d79471414d7b9424d699afff2aa79fff322f52d"
        },
        {
          "url": "https://git.kernel.org/stable/c/53717f8a4347b78eac6488072ad8e5adbaff38d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8cbe2a21d85727b66d7c591fd5d83df0d8c4f757"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc1a481359a72ee7e548f1f5da671282a7c13b8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a343811ef138a265407167294275201621e9ebb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/134121bfd99a06d44ef5ba15a9beb075297c0821"
        }
      ],
      "title": "ipvs: Defer ip_vs_ftp unregister during netns cleanup",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40018",
    "datePublished": "2025-10-24T11:44:28.955Z",
    "dateReserved": "2025-04-16T07:20:57.152Z",
    "dateUpdated": "2025-12-01T06:16:24.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68213 (GCVE-0-2025-68213)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57

Title

idpf: fix possible vport_config NULL pointer deref in remove

Summary

In the Linux kernel, the following vulnerability has been resolved: idpf: fix possible vport_config NULL pointer deref in remove Attempting to remove the driver will cause a crash in cases where the vport failed to initialize. Following trace is from an instance where the driver failed during an attempt to create a VF: [ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated [ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms) [ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028 ... [ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf] ... [ 1723.364973] Call Trace: [ 1723.365475] <TASK> [ 1723.365972] pci_device_remove+0x42/0xb0 [ 1723.366481] device_release_driver_internal+0x1a9/0x210 [ 1723.366987] pci_stop_bus_device+0x6d/0x90 [ 1723.367488] pci_stop_and_remove_bus_device+0x12/0x20 [ 1723.367971] pci_iov_remove_virtfn+0xbd/0x120 [ 1723.368309] sriov_disable+0x34/0xe0 [ 1723.368643] idpf_sriov_configure+0x58/0x140 [idpf] [ 1723.368982] sriov_numvfs_store+0xda/0x1c0 Avoid the NULL pointer dereference by adding NULL pointer check for vport_config[i], before freeing user_config.q_coalesce.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a0e1c9bc1c9fe7359…
	https://git.kernel.org/stable/c/d5be8663cff0ba7b9…
	https://git.kernel.org/stable/c/118082368c2b6ddef…

Impacted products

Vendor

Product

Version

Linux

Affected: bd80fbf3ed250ca98923780dab5e634db5d2f828 , < a0e1c9bc1c9fe735978150ad075616a728073bc7 (git)
Affected: e1e3fec3e34b4934a9d2c98e4ee00a4d87b19179 , < d5be8663cff0ba7b94da34ebd499ce1123b4c334 (git)
Affected: e1e3fec3e34b4934a9d2c98e4ee00a4d87b19179 , < 118082368c2b6ddefe6cb607efc312285148f044 (git)
Affected: 5e87b3145578a169839e456fa0aba86e123d2d8e (git)
Affected: ba11b0f3e9a97661f6caeee3dfc633af8ecee5a5 (git)

Linux

Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a0e1c9bc1c9fe735978150ad075616a728073bc7",
              "status": "affected",
              "version": "bd80fbf3ed250ca98923780dab5e634db5d2f828",
              "versionType": "git"
            },
            {
              "lessThan": "d5be8663cff0ba7b94da34ebd499ce1123b4c334",
              "status": "affected",
              "version": "e1e3fec3e34b4934a9d2c98e4ee00a4d87b19179",
              "versionType": "git"
            },
            {
              "lessThan": "118082368c2b6ddefe6cb607efc312285148f044",
              "status": "affected",
              "version": "e1e3fec3e34b4934a9d2c98e4ee00a4d87b19179",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5e87b3145578a169839e456fa0aba86e123d2d8e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ba11b0f3e9a97661f6caeee3dfc633af8ecee5a5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "6.12.43",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.15.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.16.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix possible vport_config NULL pointer deref in remove\n\nAttempting to remove the driver will cause a crash in cases where\nthe vport failed to initialize. Following trace is from an instance where\nthe driver failed during an attempt to create a VF:\n[ 1661.543624] idpf 0000:84:00.7: Device HW Reset initiated\n[ 1722.923726] idpf 0000:84:00.7: Transaction timed-out (op:1 cookie:2900 vc_op:1 salt:29 timeout:60000ms)\n[ 1723.353263] BUG: kernel NULL pointer dereference, address: 0000000000000028\n...\n[ 1723.358472] RIP: 0010:idpf_remove+0x11c/0x200 [idpf]\n...\n[ 1723.364973] Call Trace:\n[ 1723.365475]  \u003cTASK\u003e\n[ 1723.365972]  pci_device_remove+0x42/0xb0\n[ 1723.366481]  device_release_driver_internal+0x1a9/0x210\n[ 1723.366987]  pci_stop_bus_device+0x6d/0x90\n[ 1723.367488]  pci_stop_and_remove_bus_device+0x12/0x20\n[ 1723.367971]  pci_iov_remove_virtfn+0xbd/0x120\n[ 1723.368309]  sriov_disable+0x34/0xe0\n[ 1723.368643]  idpf_sriov_configure+0x58/0x140 [idpf]\n[ 1723.368982]  sriov_numvfs_store+0xda/0x1c0\n\nAvoid the NULL pointer dereference by adding NULL pointer check for\nvport_config[i], before freeing user_config.q_coalesce."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:57:09.046Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a0e1c9bc1c9fe735978150ad075616a728073bc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5be8663cff0ba7b94da34ebd499ce1123b4c334"
        },
        {
          "url": "https://git.kernel.org/stable/c/118082368c2b6ddefe6cb607efc312285148f044"
        }
      ],
      "title": "idpf: fix possible vport_config NULL pointer deref in remove",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68213",
    "datePublished": "2025-12-16T13:57:09.046Z",
    "dateReserved": "2025-12-16T13:41:40.256Z",
    "dateUpdated": "2025-12-16T13:57:09.046Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40303 (GCVE-0-2025-40303)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33

Title

btrfs: ensure no dirty metadata is written back for an fs with errors

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger the use-after-free. [CAUSE] If btrfs hits an error, the fs is marked as error, no new transaction is allowed thus metadata is in a frozen state. But there are some metadata modifications before that error, and they are still in the btree inode page cache. Since there will be no real transaction commit, all those dirty folios are just kept as is in the page cache, and they can not be invalidated by invalidate_inode_pages2() call inside close_ctree(), because they are dirty. And finally after btrfs_stop_all_workers(), we call iput() on btree inode, which triggers writeback of those dirty metadata. And if the fs is using RAID56 metadata, this will trigger RMW and queue new works into rmw_workers, which is already stopped, causing warning from queue_work() and use-after-free. [FIX] Add a special handling for write_one_eb(), that if the fs is already in an error state, immediately mark the bbio as failure, instead of really submitting them. Then during close_ctree(), iput() will just discard all those dirty tree blocks without really writing them back, thus no more new jobs for already stopped-and-freed workqueues. The extra discard in write_one_eb() also acts as an extra safenet. E.g. the transaction abort is triggered by some extent/free space tree corruptions, and since extent/free space tree is already corrupted some tree blocks may be allocated where they shouldn't be (overwriting existing tree blocks). In that case writing them back will further corrupting the fs.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/066ee13f05fbd82ad…
	https://git.kernel.org/stable/c/e2b3859067bf012d5…
	https://git.kernel.org/stable/c/54a5b5a15588e3b0b…
	https://git.kernel.org/stable/c/2618849f31e7cf51f…

Impacted products

Vendor

Product

Version

Linux

Affected: 13e6c37b989859e70b0d73d3f2cb0aa022159b17 , < 066ee13f05fbd82ada01883e51f0695172f98dff (git)
Affected: 13e6c37b989859e70b0d73d3f2cb0aa022159b17 , < e2b3859067bf012d53c49b3f885fef40624a2c83 (git)
Affected: 13e6c37b989859e70b0d73d3f2cb0aa022159b17 , < 54a5b5a15588e3b0b294df31474d08a2678d4291 (git)
Affected: 13e6c37b989859e70b0d73d3f2cb0aa022159b17 , < 2618849f31e7cf51fadd4a5242458501a6d5b315 (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/extent_io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "066ee13f05fbd82ada01883e51f0695172f98dff",
              "status": "affected",
              "version": "13e6c37b989859e70b0d73d3f2cb0aa022159b17",
              "versionType": "git"
            },
            {
              "lessThan": "e2b3859067bf012d53c49b3f885fef40624a2c83",
              "status": "affected",
              "version": "13e6c37b989859e70b0d73d3f2cb0aa022159b17",
              "versionType": "git"
            },
            {
              "lessThan": "54a5b5a15588e3b0b294df31474d08a2678d4291",
              "status": "affected",
              "version": "13e6c37b989859e70b0d73d3f2cb0aa022159b17",
              "versionType": "git"
            },
            {
              "lessThan": "2618849f31e7cf51fadd4a5242458501a6d5b315",
              "status": "affected",
              "version": "13e6c37b989859e70b0d73d3f2cb0aa022159b17",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/extent_io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: ensure no dirty metadata is written back for an fs with errors\n\n[BUG]\nDuring development of a minor feature (make sure all btrfs_bio::end_io()\nis called in task context), I noticed a crash in generic/388, where\nmetadata writes triggered new works after btrfs_stop_all_workers().\n\nIt turns out that it can even happen without any code modification, just\nusing RAID5 for metadata and the same workload from generic/388 is going\nto trigger the use-after-free.\n\n[CAUSE]\nIf btrfs hits an error, the fs is marked as error, no new\ntransaction is allowed thus metadata is in a frozen state.\n\nBut there are some metadata modifications before that error, and they are\nstill in the btree inode page cache.\n\nSince there will be no real transaction commit, all those dirty folios\nare just kept as is in the page cache, and they can not be invalidated\nby invalidate_inode_pages2() call inside close_ctree(), because they are\ndirty.\n\nAnd finally after btrfs_stop_all_workers(), we call iput() on btree\ninode, which triggers writeback of those dirty metadata.\n\nAnd if the fs is using RAID56 metadata, this will trigger RMW and queue\nnew works into rmw_workers, which is already stopped, causing warning\nfrom queue_work() and use-after-free.\n\n[FIX]\nAdd a special handling for write_one_eb(), that if the fs is already in\nan error state, immediately mark the bbio as failure, instead of really\nsubmitting them.\n\nThen during close_ctree(), iput() will just discard all those dirty\ntree blocks without really writing them back, thus no more new jobs for\nalready stopped-and-freed workqueues.\n\nThe extra discard in write_one_eb() also acts as an extra safenet.\nE.g. the transaction abort is triggered by some extent/free space\ntree corruptions, and since extent/free space tree is already corrupted\nsome tree blocks may be allocated where they shouldn\u0027t be (overwriting\nexisting tree blocks). In that case writing them back will further\ncorrupting the fs."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:24.871Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/066ee13f05fbd82ada01883e51f0695172f98dff"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2b3859067bf012d53c49b3f885fef40624a2c83"
        },
        {
          "url": "https://git.kernel.org/stable/c/54a5b5a15588e3b0b294df31474d08a2678d4291"
        },
        {
          "url": "https://git.kernel.org/stable/c/2618849f31e7cf51fadd4a5242458501a6d5b315"
        }
      ],
      "title": "btrfs: ensure no dirty metadata is written back for an fs with errors",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40303",
    "datePublished": "2025-12-08T00:46:27.820Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2026-01-02T15:33:24.871Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40213 (GCVE-0-2025-40213)

Vulnerability from cvelistv5 – Published: 2025-11-24 15:59 – Updated: 2025-12-01 06:20

Title

Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5c19daa93d9af29f1…
	https://git.kernel.org/stable/c/1c9aca1787e8395a2…
	https://git.kernel.org/stable/c/e8785404de06a69d8…

Impacted products

Vendor

Product

Version

Linux

Affected: d71b98f253b079cbadc83266383f26fe7e9e103b , < 5c19daa93d9af29f1f46251b47e1ea66bcc8d679 (git)
Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < 1c9aca1787e8395a2c59fef20e914467958969c5 (git)
Affected: 302a1f674c00dd5581ab8e493ef44767c5101aab , < e8785404de06a69d89dcdd1e9a0b6ea42dc6d327 (git)
Affected: 87a1f16f07c6c43771754075e08f45b41d237421 (git)

Linux

Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/bluetooth/mgmt.h",
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5c19daa93d9af29f1f46251b47e1ea66bcc8d679",
              "status": "affected",
              "version": "d71b98f253b079cbadc83266383f26fe7e9e103b",
              "versionType": "git"
            },
            {
              "lessThan": "1c9aca1787e8395a2c59fef20e914467958969c5",
              "status": "affected",
              "version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
              "versionType": "git"
            },
            {
              "lessThan": "e8785404de06a69d89dcdd1e9a0b6ea42dc6d327",
              "status": "affected",
              "version": "302a1f674c00dd5581ab8e493ef44767c5101aab",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "87a1f16f07c6c43771754075e08f45b41d237421",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/bluetooth/mgmt.h",
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.16.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete\n\nThere is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to\nmemcpy from badly declared on-stack flexible array.\n\nAnother crash is in set_mesh_complete() due to double list_del via\nmgmt_pending_valid + mgmt_pending_remove.\n\nUse DEFINE_FLEX to declare the flexible array right, and don\u0027t memcpy\noutside bounds.\n\nAs mgmt_pending_valid removes the cmd from list, use mgmt_pending_free,\nand also report status on error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:20:19.302Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5c19daa93d9af29f1f46251b47e1ea66bcc8d679"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c9aca1787e8395a2c59fef20e914467958969c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8785404de06a69d89dcdd1e9a0b6ea42dc6d327"
        }
      ],
      "title": "Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40213",
    "datePublished": "2025-11-24T15:59:44.000Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2025-12-01T06:20:19.302Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68222 (GCVE-0-2025-68222)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57

Title

pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc

Summary

In the Linux kernel, the following vulnerability has been resolved: pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its fields are initialized. Notably, num_custom_params is used in pinconf_generic_parse_dt_config(), resulting in intermittent allocation errors, such as the following splat when probing i2c-imx: WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300 [...] Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT) [...] Call trace: __alloc_pages_noprof+0x290/0x300 (P) ___kmalloc_large_node+0x84/0x168 __kmalloc_large_node_noprof+0x34/0x120 __kmalloc_noprof+0x2ac/0x378 pinconf_generic_parse_dt_config+0x68/0x1a0 s32_dt_node_to_map+0x104/0x248 dt_to_map_one_config+0x154/0x1d8 pinctrl_dt_to_map+0x12c/0x280 create_pinctrl+0x6c/0x270 pinctrl_get+0xc0/0x170 devm_pinctrl_get+0x50/0xa0 pinctrl_bind_pins+0x60/0x2a0 really_probe+0x60/0x3a0 [...] __platform_driver_register+0x2c/0x40 i2c_adap_imx_init+0x28/0xff8 [i2c_imx] [...] This results in later parse failures that can cause issues in dependent drivers: s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property [...] pca953x 0-0022: failed writing register: -6 i2c i2c-0: IMX I2C adapter registered s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property i2c i2c-1: IMX I2C adapter registered s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property i2c i2c-2: IMX I2C adapter registered Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of devm_kmalloc() in s32_pinctrl_probe(), which sets the previously uninitialized fields to zero.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3b90bd8aaeb21b513…
	https://git.kernel.org/stable/c/583ac7f65791ceda3…
	https://git.kernel.org/stable/c/7bbdd6c30e8fd92f7…
	https://git.kernel.org/stable/c/97ea34defbb57bfaf…

Impacted products

Vendor

Product

Version

Linux

Affected: fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 3b90bd8aaeb21b513ecc4ed03299e80ece44a333 (git)
Affected: fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 583ac7f65791ceda38ea1a493a4859f7161dcb03 (git)
Affected: fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 7bbdd6c30e8fd92f7165b7730b038cfe42102004 (git)
Affected: fd84aaa8173d3ff86f8df2009921336a1ea53a8a , < 97ea34defbb57bfaf71ce487b1b0865ffd186e81 (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pinctrl/nxp/pinctrl-s32cc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3b90bd8aaeb21b513ecc4ed03299e80ece44a333",
              "status": "affected",
              "version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
              "versionType": "git"
            },
            {
              "lessThan": "583ac7f65791ceda38ea1a493a4859f7161dcb03",
              "status": "affected",
              "version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
              "versionType": "git"
            },
            {
              "lessThan": "7bbdd6c30e8fd92f7165b7730b038cfe42102004",
              "status": "affected",
              "version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
              "versionType": "git"
            },
            {
              "lessThan": "97ea34defbb57bfaf71ce487b1b0865ffd186e81",
              "status": "affected",
              "version": "fd84aaa8173d3ff86f8df2009921336a1ea53a8a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pinctrl/nxp/pinctrl-s32cc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc\n\ns32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its\nfields are initialized. Notably, num_custom_params is used in\npinconf_generic_parse_dt_config(), resulting in intermittent allocation\nerrors, such as the following splat when probing i2c-imx:\n\n        WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300\n        [...]\n        Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT)\n        [...]\n        Call trace:\n         __alloc_pages_noprof+0x290/0x300 (P)\n         ___kmalloc_large_node+0x84/0x168\n         __kmalloc_large_node_noprof+0x34/0x120\n         __kmalloc_noprof+0x2ac/0x378\n         pinconf_generic_parse_dt_config+0x68/0x1a0\n         s32_dt_node_to_map+0x104/0x248\n         dt_to_map_one_config+0x154/0x1d8\n         pinctrl_dt_to_map+0x12c/0x280\n         create_pinctrl+0x6c/0x270\n         pinctrl_get+0xc0/0x170\n         devm_pinctrl_get+0x50/0xa0\n         pinctrl_bind_pins+0x60/0x2a0\n         really_probe+0x60/0x3a0\n        [...]\n         __platform_driver_register+0x2c/0x40\n         i2c_adap_imx_init+0x28/0xff8 [i2c_imx]\n        [...]\n\nThis results in later parse failures that can cause issues in dependent\ndrivers:\n\n        s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property\n        s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property\n        [...]\n        pca953x 0-0022: failed writing register: -6\n        i2c i2c-0: IMX I2C adapter registered\n        s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property\n        s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property\n        i2c i2c-1: IMX I2C adapter registered\n        s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property\n        s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property\n        i2c i2c-2: IMX I2C adapter registered\n\nFix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of\ndevm_kmalloc() in s32_pinctrl_probe(), which sets the previously\nuninitialized fields to zero."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:57:15.832Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3b90bd8aaeb21b513ecc4ed03299e80ece44a333"
        },
        {
          "url": "https://git.kernel.org/stable/c/583ac7f65791ceda38ea1a493a4859f7161dcb03"
        },
        {
          "url": "https://git.kernel.org/stable/c/7bbdd6c30e8fd92f7165b7730b038cfe42102004"
        },
        {
          "url": "https://git.kernel.org/stable/c/97ea34defbb57bfaf71ce487b1b0865ffd186e81"
        }
      ],
      "title": "pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68222",
    "datePublished": "2025-12-16T13:57:15.832Z",
    "dateReserved": "2025-12-16T13:41:40.257Z",
    "dateUpdated": "2025-12-16T13:57:15.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40330 (GCVE-0-2025-40330)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09

Title

bnxt_en: Shutdown FW DMA in bnxt_shutdown()

Summary

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Shutdown FW DMA in bnxt_shutdown() The netif_close() call in bnxt_shutdown() only stops packet DMA. There may be FW DMA for trace logging (recently added) that will continue. If we kexec to a new kernel, the DMA will corrupt memory in the new kernel. Add bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW. This will stop the FW DMA. In case the call fails, call pcie_flr() to reset the function and stop the DMA.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1a8a15c3f71d1199d…
	https://git.kernel.org/stable/c/bc7208ca805ae6062…

Impacted products

Vendor

Product

Version

Linux

Affected: 24d694aec139e9e0a31c60993db79bd8ad575afe , < 1a8a15c3f71d1199d510ccba4bc201cbd2204048 (git)
Affected: 24d694aec139e9e0a31c60993db79bd8ad575afe , < bc7208ca805ae6062f353a4753467d913d963bc6 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1a8a15c3f71d1199d510ccba4bc201cbd2204048",
              "status": "affected",
              "version": "24d694aec139e9e0a31c60993db79bd8ad575afe",
              "versionType": "git"
            },
            {
              "lessThan": "bc7208ca805ae6062f353a4753467d913d963bc6",
              "status": "affected",
              "version": "24d694aec139e9e0a31c60993db79bd8ad575afe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Shutdown FW DMA in bnxt_shutdown()\n\nThe netif_close() call in bnxt_shutdown() only stops packet DMA.  There\nmay be FW DMA for trace logging (recently added) that will continue.  If\nwe kexec to a new kernel, the DMA will corrupt memory in the new kernel.\n\nAdd bnxt_hwrm_func_drv_unrgtr() to unregister the driver from the FW.\nThis will stop the FW DMA.  In case the call fails, call pcie_flr() to\nreset the function and stop the DMA."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T04:09:47.251Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1a8a15c3f71d1199d510ccba4bc201cbd2204048"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc7208ca805ae6062f353a4753467d913d963bc6"
        }
      ],
      "title": "bnxt_en: Shutdown FW DMA in bnxt_shutdown()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40330",
    "datePublished": "2025-12-09T04:09:47.251Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2025-12-09T04:09:47.251Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68195 (GCVE-0-2025-68195)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2025-12-16 13:43

Title

x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode Running x86_match_min_microcode_rev() on a Zen5 CPU trips up KASAN for an out of bounds access.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4c6b56a76478bd1ab…
	https://git.kernel.org/stable/c/f1fdffe0afea02ba7…

Impacted products

Vendor

Product

Version

Linux

Affected: 36ff93e66d0efc46e39fab536a9feec968daa766 , < 4c6b56a76478bd1ab609827c571905386c11d308 (git)
Affected: 607b9fb2ce248cc5b633c5949e0153838992c152 , < f1fdffe0afea02ba783acfe815b6a60e7180df40 (git)
Affected: e980de2ff109dacb6d9d3a77f01b27c467115ecb (git)

Linux

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/amd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4c6b56a76478bd1ab609827c571905386c11d308",
              "status": "affected",
              "version": "36ff93e66d0efc46e39fab536a9feec968daa766",
              "versionType": "git"
            },
            {
              "lessThan": "f1fdffe0afea02ba783acfe815b6a60e7180df40",
              "status": "affected",
              "version": "607b9fb2ce248cc5b633c5949e0153838992c152",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e980de2ff109dacb6d9d3a77f01b27c467115ecb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/amd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux"
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.12.58",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode\n\nRunning x86_match_min_microcode_rev() on a Zen5 CPU trips up KASAN for an out\nof bounds access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:43:21.855Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4c6b56a76478bd1ab609827c571905386c11d308"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1fdffe0afea02ba783acfe815b6a60e7180df40"
        }
      ],
      "title": "x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68195",
    "datePublished": "2025-12-16T13:43:21.855Z",
    "dateReserved": "2025-12-16T13:41:40.253Z",
    "dateUpdated": "2025-12-16T13:43:21.855Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40238 (GCVE-0-2025-40238)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31

Title

net/mlx5: Fix IPsec cleanup over MPV device

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7e212cebc863c2c7a…
	https://git.kernel.org/stable/c/8956686d398eca6d3…
	https://git.kernel.org/stable/c/664f76be38a18c611…

Impacted products

Vendor

Product

Version

Linux

Affected: 82f9378c443c206d3f9e45844306e5270e7e4109 , < 7e212cebc863c2c7a82f480446cd731721451691 (git)
Affected: 82f9378c443c206d3f9e45844306e5270e7e4109 , < 8956686d398eca6d324d2d164f9d2a281175a3a1 (git)
Affected: 82f9378c443c206d3f9e45844306e5270e7e4109 , < 664f76be38a18c61151d0ef248c7e2f3afb4f3c7 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h",
            "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7e212cebc863c2c7a82f480446cd731721451691",
              "status": "affected",
              "version": "82f9378c443c206d3f9e45844306e5270e7e4109",
              "versionType": "git"
            },
            {
              "lessThan": "8956686d398eca6d324d2d164f9d2a281175a3a1",
              "status": "affected",
              "version": "82f9378c443c206d3f9e45844306e5270e7e4109",
              "versionType": "git"
            },
            {
              "lessThan": "664f76be38a18c61151d0ef248c7e2f3afb4f3c7",
              "status": "affected",
              "version": "82f9378c443c206d3f9e45844306e5270e7e4109",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h",
            "drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_fs.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix IPsec cleanup over MPV device\n\nWhen we do mlx5e_detach_netdev() we eventually disable blocking events\nnotifier, among those events are IPsec MPV events from IB to core.\n\nSo before disabling those blocking events, make sure to also unregister\nthe devcom device and mark all this device operations as complete,\nin order to prevent the other device from using invalid netdev\nduring future devcom events which could cause the trace below.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000010\nPGD 146427067 P4D 146427067 PUD 146488067 PMD 0\nOops: Oops: 0000 [#1] SMP\nCPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1\nTainted: [W]=WARN\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]\nCode: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 \u003c48\u003e 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40\nRSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206\nRAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00\nRDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000\nRBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000\nR10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600\nR13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80\nFS:  00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n ? __die+0x20/0x60\n ? page_fault_oops+0x150/0x3e0\n ? exc_page_fault+0x74/0x130\n ? asm_exc_page_fault+0x22/0x30\n ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core]\n mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core]\n mlx5_devcom_send_event+0x8c/0x170 [mlx5_core]\n blocking_event+0x17b/0x230 [mlx5_core]\n notifier_call_chain+0x35/0xa0\n blocking_notifier_call_chain+0x3d/0x60\n mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core]\n mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core]\n mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib]\n mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib]\n ? idr_alloc_cyclic+0x50/0xb0\n ? __kmalloc_cache_noprof+0x167/0x340\n ? __kmalloc_noprof+0x1a7/0x430\n __mlx5_ib_add+0x34/0xd0 [mlx5_ib]\n mlx5r_probe+0xe9/0x310 [mlx5_ib]\n ? kernfs_add_one+0x107/0x150\n ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib]\n auxiliary_bus_probe+0x3e/0x90\n really_probe+0xc5/0x3a0\n ? driver_probe_device+0x90/0x90\n __driver_probe_device+0x80/0x160\n driver_probe_device+0x1e/0x90\n __device_attach_driver+0x7d/0x100\n bus_for_each_drv+0x80/0xd0\n __device_attach+0xbc/0x1f0\n bus_probe_device+0x86/0xa0\n device_add+0x62d/0x830\n __auxiliary_device_add+0x3b/0xa0\n ? auxiliary_device_init+0x41/0x90\n add_adev+0xd1/0x150 [mlx5_core]\n mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core]\n esw_mode_change+0x6c/0xc0 [mlx5_core]\n mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core]\n devlink_nl_eswitch_set_doit+0x60/0xe0\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x180/0x2b0\n ? devlink_get_from_attrs_lock+0x170/0x170\n ? devlink_nl_eswitch_get_doit+0x290/0x290\n ? devlink_nl_pre_doit_port_optional+0x50/0x50\n ? genl_family_rcv_msg_dumpit+0xf0/0xf0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1fc/0x2d0\n netlink_sendmsg+0x1e4/0x410\n __sock_sendmsg+0x38/0x60\n ? sockfd_lookup_light+0x12/0x60\n __sys_sendto+0x105/0x160\n ? __sys_recvmsg+0x4e/0x90\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x4c/0x100\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7f27bc91b13a\nCode: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T15:31:28.243Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7e212cebc863c2c7a82f480446cd731721451691"
        },
        {
          "url": "https://git.kernel.org/stable/c/8956686d398eca6d324d2d164f9d2a281175a3a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/664f76be38a18c61151d0ef248c7e2f3afb4f3c7"
        }
      ],
      "title": "net/mlx5: Fix IPsec cleanup over MPV device",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40238",
    "datePublished": "2025-12-04T15:31:28.243Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-04T15:31:28.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40209 (GCVE-0-2025-40209)

Vulnerability from cvelistv5 – Published: 2025-11-21 10:19 – Updated: 2025-12-01 06:20

Title

btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3412d0e973e8f8381…
	https://git.kernel.org/stable/c/a4d9ebe23bcb79d9d…
	https://git.kernel.org/stable/c/f260c6aff0b8af236…

Impacted products

Vendor

Product

Version

Linux

Affected: 4addc1ffd67ad34394674dc91379dc04cfdd2537 , < 3412d0e973e8f8381747d69033eda809a57a2581 (git)
Affected: 4addc1ffd67ad34394674dc91379dc04cfdd2537 , < a4d9ebe23bcb79d9d057e3c995db73b7b3aae414 (git)
Affected: 4addc1ffd67ad34394674dc91379dc04cfdd2537 , < f260c6aff0b8af236084012d14f9f1bf792ea883 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/qgroup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3412d0e973e8f8381747d69033eda809a57a2581",
              "status": "affected",
              "version": "4addc1ffd67ad34394674dc91379dc04cfdd2537",
              "versionType": "git"
            },
            {
              "lessThan": "a4d9ebe23bcb79d9d057e3c995db73b7b3aae414",
              "status": "affected",
              "version": "4addc1ffd67ad34394674dc91379dc04cfdd2537",
              "versionType": "git"
            },
            {
              "lessThan": "f260c6aff0b8af236084012d14f9f1bf792ea883",
              "status": "affected",
              "version": "4addc1ffd67ad34394674dc91379dc04cfdd2537",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/qgroup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation\n\nWhen btrfs_add_qgroup_relation() is called with invalid qgroup levels\n(src \u003e= dst), the function returns -EINVAL directly without freeing the\npreallocated qgroup_list structure passed by the caller. This causes a\nmemory leak because the caller unconditionally sets the pointer to NULL\nafter the call, preventing any cleanup.\n\nThe issue occurs because the level validation check happens before the\nmutex is acquired and before any error handling path that would free\nthe prealloc pointer. On this early return, the cleanup code at the\n\u0027out\u0027 label (which includes kfree(prealloc)) is never reached.\n\nIn btrfs_ioctl_qgroup_assign(), the code pattern is:\n\n    prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL);\n    ret = btrfs_add_qgroup_relation(trans, sa-\u003esrc, sa-\u003edst, prealloc);\n    prealloc = NULL;  // Always set to NULL regardless of return value\n    ...\n    kfree(prealloc);  // This becomes kfree(NULL), does nothing\n\nWhen the level check fails, \u0027prealloc\u0027 is never freed by either the\ncallee or the caller, resulting in a 64-byte memory leak per failed\noperation. This can be triggered repeatedly by an unprivileged user\nwith access to a writable btrfs mount, potentially exhausting kernel\nmemory.\n\nFix this by freeing prealloc before the early return, ensuring prealloc\nis always freed on all error paths."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:20:14.073Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3412d0e973e8f8381747d69033eda809a57a2581"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4d9ebe23bcb79d9d057e3c995db73b7b3aae414"
        },
        {
          "url": "https://git.kernel.org/stable/c/f260c6aff0b8af236084012d14f9f1bf792ea883"
        }
      ],
      "title": "btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40209",
    "datePublished": "2025-11-21T10:19:44.757Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2025-12-01T06:20:14.073Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-48853 (GCVE-0-2022-48853)

Vulnerability from cvelistv5 – Published: 2024-07-16 12:25 – Updated: 2025-12-21 11:36

Title

Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""

Summary

In the Linux kernel, the following vulnerability has been resolved: swiotlb: fix info leak with DMA_FROM_DEVICE The problem I'm addressing was discovered by the LTP test covering cve-2018-1000204. A short description of what happens follows: 1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV and a corresponding dxferp. The peculiar thing about this is that TUR is not reading from the device. 2) In sg_start_req() the invocation of blk_rq_map_user() effectively bounces the user-space buffer. As if the device was to transfer into it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()") we make sure this first bounce buffer is allocated with GFP_ZERO. 3) For the rest of the story we keep ignoring that we have a TUR, so the device won't touch the buffer we prepare as if the we had a DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device and the buffer allocated by SG is mapped by the function virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here scatter-gather and not scsi generics). This mapping involves bouncing via the swiotlb (we need swiotlb to do virtio in protected guest like s390 Secure Execution, or AMD SEV). 4) When the SCSI TUR is done, we first copy back the content of the second (that is swiotlb) bounce buffer (which most likely contains some previous IO data), to the first bounce buffer, which contains all zeros. Then we copy back the content of the first bounce buffer to the user-space buffer. 5) The test case detects that the buffer, which it zero-initialized, ain't all zeros and fails. One can argue that this is an swiotlb problem, because without swiotlb we leak all zeros, and the swiotlb should be transparent in a sense that it does not affect the outcome (if all other participants are well behaved). Copying the content of the original buffer into the swiotlb buffer is the only way I can think of to make swiotlb transparent in such scenarios. So let's do just that if in doubt, but allow the driver to tell us that the whole mapped buffer is going to be overwritten, in which case we can preserve the old behavior and avoid the performance impact of the extra bounce.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fd97de9c7b973f46a…
	https://git.kernel.org/stable/c/aaf166f37eb6bb55d…
	https://git.kernel.org/stable/c/06cb238b0f7ac1669…
	https://git.kernel.org/stable/c/b2f140a9f980806f5…
	https://git.kernel.org/stable/c/f3f2247ac31cb71d1…
	https://git.kernel.org/stable/c/7007c894631cf4304…
	https://git.kernel.org/stable/c/dcead36b19d999d68…
	https://git.kernel.org/stable/c/f2141881b53073877…
	https://git.kernel.org/stable/c/901c7280ca0d5e2b4…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fd97de9c7b973f46a6103f4170c5efc7b8ef8797 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aaf166f37eb6bb55d81c3e40a2a460c8875c8813 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 06cb238b0f7ac1669cb06390704c61794724c191 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b2f140a9f980806f572d672e1780acea66b9a25c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f3f2247ac31cb71d1f05f56536df5946c6652f4a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7007c894631cf43041dcfa0da7142bbaa7eb673c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dcead36b19d999d687cd9c99b7f37520d9102b57 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f2141881b530738777c28bb51c62175895c8178b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 4.9.320 , ≤ 4.9.* (semver)
Unaffected: 4.14.281 , ≤ 4.14.* (semver)
Unaffected: 4.19.245 , ≤ 4.19.* (semver)
Unaffected: 5.4.196 , ≤ 5.4.* (semver)
Unaffected: 5.10.118 , ≤ 5.10.* (semver)
Unaffected: 5.15.33 , ≤ 5.15.* (semver)
Unaffected: 5.16.19 , ≤ 5.16.* (semver)
Unaffected: 5.17.2 , ≤ 5.17.* (semver)
Unaffected: 5.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:25:01.804Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c132f2ba716b5ee6b35f82226a6e5417d013d753"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/971e5dadffd02beba1063e7dd9c3a82de17cf534"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8d9ac1b6665c73f23e963775f85d99679fd8e192"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6bfc5377a210dbda2a237f16d94d1bd4f1335026"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d4d975e7921079f877f828099bb8260af335508f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7403f4118ab94be837ab9d770507537a8057bc63"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/270475d6d2410ec66e971bf181afe1958dad565e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48853",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:25:58.844703Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:08.301Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "Documentation/core-api/dma-attributes.rst",
            "include/linux/dma-mapping.h",
            "kernel/dma/swiotlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fd97de9c7b973f46a6103f4170c5efc7b8ef8797",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "aaf166f37eb6bb55d81c3e40a2a460c8875c8813",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "06cb238b0f7ac1669cb06390704c61794724c191",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b2f140a9f980806f572d672e1780acea66b9a25c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f3f2247ac31cb71d1f05f56536df5946c6652f4a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7007c894631cf43041dcfa0da7142bbaa7eb673c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dcead36b19d999d687cd9c99b7f37520d9102b57",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f2141881b530738777c28bb51c62175895c8178b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "Documentation/core-api/dma-attributes.rst",
            "include/linux/dma-mapping.h",
            "kernel/dma/swiotlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.320",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.281",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.245",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.320",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.281",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.245",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.196",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.118",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.33",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.19",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nswiotlb: fix info leak with DMA_FROM_DEVICE\n\nThe problem I\u0027m addressing was discovered by the LTP test covering\ncve-2018-1000204.\n\nA short description of what happens follows:\n1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO\n   interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV\n   and a corresponding dxferp. The peculiar thing about this is that TUR\n   is not reading from the device.\n2) In sg_start_req() the invocation of blk_rq_map_user() effectively\n   bounces the user-space buffer. As if the device was to transfer into\n   it. Since commit a45b599ad808 (\"scsi: sg: allocate with __GFP_ZERO in\n   sg_build_indirect()\") we make sure this first bounce buffer is\n   allocated with GFP_ZERO.\n3) For the rest of the story we keep ignoring that we have a TUR, so the\n   device won\u0027t touch the buffer we prepare as if the we had a\n   DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device\n   and the  buffer allocated by SG is mapped by the function\n   virtqueue_add_split() which uses DMA_FROM_DEVICE for the \"in\" sgs (here\n   scatter-gather and not scsi generics). This mapping involves bouncing\n   via the swiotlb (we need swiotlb to do virtio in protected guest like\n   s390 Secure Execution, or AMD SEV).\n4) When the SCSI TUR is done, we first copy back the content of the second\n   (that is swiotlb) bounce buffer (which most likely contains some\n   previous IO data), to the first bounce buffer, which contains all\n   zeros.  Then we copy back the content of the first bounce buffer to\n   the user-space buffer.\n5) The test case detects that the buffer, which it zero-initialized,\n  ain\u0027t all zeros and fails.\n\nOne can argue that this is an swiotlb problem, because without swiotlb\nwe leak all zeros, and the swiotlb should be transparent in a sense that\nit does not affect the outcome (if all other participants are well\nbehaved).\n\nCopying the content of the original buffer into the swiotlb buffer is\nthe only way I can think of to make swiotlb transparent in such\nscenarios. So let\u0027s do just that if in doubt, but allow the driver\nto tell us that the whole mapped buffer is going to be overwritten,\nin which case we can preserve the old behavior and avoid the performance\nimpact of the extra bounce."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-21T11:36:18.947Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fd97de9c7b973f46a6103f4170c5efc7b8ef8797"
        },
        {
          "url": "https://git.kernel.org/stable/c/aaf166f37eb6bb55d81c3e40a2a460c8875c8813"
        },
        {
          "url": "https://git.kernel.org/stable/c/06cb238b0f7ac1669cb06390704c61794724c191"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2f140a9f980806f572d672e1780acea66b9a25c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3f2247ac31cb71d1f05f56536df5946c6652f4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7007c894631cf43041dcfa0da7142bbaa7eb673c"
        },
        {
          "url": "https://git.kernel.org/stable/c/dcead36b19d999d687cd9c99b7f37520d9102b57"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2141881b530738777c28bb51c62175895c8178b"
        },
        {
          "url": "https://git.kernel.org/stable/c/901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544"
        }
      ],
      "title": "Reinstate some of \"swiotlb: rework \"fix info leak with DMA_FROM_DEVICE\"\"",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48853",
    "datePublished": "2024-07-16T12:25:19.814Z",
    "dateReserved": "2024-07-16T11:38:08.913Z",
    "dateUpdated": "2025-12-21T11:36:18.947Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50640 (GCVE-0-2022-50640)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00

Title

mmc: core: Fix kernel panic when remove non-standard SDIO card

Summary

In the Linux kernel, the following vulnerability has been resolved: mmc: core: Fix kernel panic when remove non-standard SDIO card SDIO tuple is only allocated for standard SDIO card, especially it causes memory corruption issues when the non-standard SDIO card has removed, which is because the card device's reference counter does not increase for it at sdio_init_func(), but all SDIO card device reference counter gets decreased at sdio_release_func().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b8b2965932e702b21…
	https://git.kernel.org/stable/c/b3275dde570b64201…
	https://git.kernel.org/stable/c/1fb79478695d92bab…
	https://git.kernel.org/stable/c/7a09c64b7da0abdec…
	https://git.kernel.org/stable/c/8bf037279b5869ae9…
	https://git.kernel.org/stable/c/1e8cd93ae53658156…
	https://git.kernel.org/stable/c/66d461a92f32b6995…
	https://git.kernel.org/stable/c/9972e6b404884adae…

Impacted products

Vendor

Product

Version

Linux

Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < b8b2965932e702b21e335ff30e1bb550f5a23b6f (git)
Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < b3275dde570b6420106a715bb58a0af041b94d95 (git)
Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 1fb79478695d92bab1c120ad3dad05252b02a29d (git)
Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 7a09c64b7da0abdec3919812e3d93ecc44069ed0 (git)
Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 8bf037279b5869ae9331c42bb1527d2680ebba96 (git)
Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 1e8cd93ae536581562bab4e1d8c5315bbc2548bf (git)
Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 66d461a92f32b6995b630625d350259b6b1f961b (git)
Affected: 6f51be3d37dff73cf8db771df4169f4c2f1cbf66 , < 9972e6b404884adae9eec7463e30d9b3c9a70b18 (git)

Linux

Affected: 2.6.36
Unaffected: 0 , < 2.6.36 (semver)
Unaffected: 4.9.332 , ≤ 4.9.* (semver)
Unaffected: 4.14.298 , ≤ 4.14.* (semver)
Unaffected: 4.19.264 , ≤ 4.19.* (semver)
Unaffected: 5.4.223 , ≤ 5.4.* (semver)
Unaffected: 5.10.153 , ≤ 5.10.* (semver)
Unaffected: 5.15.77 , ≤ 5.15.* (semver)
Unaffected: 6.0.7 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mmc/core/sdio_bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b8b2965932e702b21e335ff30e1bb550f5a23b6f",
              "status": "affected",
              "version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
              "versionType": "git"
            },
            {
              "lessThan": "b3275dde570b6420106a715bb58a0af041b94d95",
              "status": "affected",
              "version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
              "versionType": "git"
            },
            {
              "lessThan": "1fb79478695d92bab1c120ad3dad05252b02a29d",
              "status": "affected",
              "version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
              "versionType": "git"
            },
            {
              "lessThan": "7a09c64b7da0abdec3919812e3d93ecc44069ed0",
              "status": "affected",
              "version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
              "versionType": "git"
            },
            {
              "lessThan": "8bf037279b5869ae9331c42bb1527d2680ebba96",
              "status": "affected",
              "version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
              "versionType": "git"
            },
            {
              "lessThan": "1e8cd93ae536581562bab4e1d8c5315bbc2548bf",
              "status": "affected",
              "version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
              "versionType": "git"
            },
            {
              "lessThan": "66d461a92f32b6995b630625d350259b6b1f961b",
              "status": "affected",
              "version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
              "versionType": "git"
            },
            {
              "lessThan": "9972e6b404884adae9eec7463e30d9b3c9a70b18",
              "status": "affected",
              "version": "6f51be3d37dff73cf8db771df4169f4c2f1cbf66",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/mmc/core/sdio_bus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.36"
            },
            {
              "lessThan": "2.6.36",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.332",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.298",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.264",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.223",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.332",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.298",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.264",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.223",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.153",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.77",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.7",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Fix kernel panic when remove non-standard SDIO card\n\nSDIO tuple is only allocated for standard SDIO card, especially it causes\nmemory corruption issues when the non-standard SDIO card has removed, which\nis because the card device\u0027s reference counter does not increase for it at\nsdio_init_func(), but all SDIO card device reference counter gets decreased\nat sdio_release_func()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T00:00:13.871Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b8b2965932e702b21e335ff30e1bb550f5a23b6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3275dde570b6420106a715bb58a0af041b94d95"
        },
        {
          "url": "https://git.kernel.org/stable/c/1fb79478695d92bab1c120ad3dad05252b02a29d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a09c64b7da0abdec3919812e3d93ecc44069ed0"
        },
        {
          "url": "https://git.kernel.org/stable/c/8bf037279b5869ae9331c42bb1527d2680ebba96"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e8cd93ae536581562bab4e1d8c5315bbc2548bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/66d461a92f32b6995b630625d350259b6b1f961b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9972e6b404884adae9eec7463e30d9b3c9a70b18"
        }
      ],
      "title": "mmc: core: Fix kernel panic when remove non-standard SDIO card",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50640",
    "datePublished": "2025-12-09T00:00:13.871Z",
    "dateReserved": "2025-12-08T23:57:43.370Z",
    "dateUpdated": "2025-12-09T00:00:13.871Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-54243 (GCVE-0-2023-54243)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11

Title

netfilter: ebtables: fix table blob use-after-free

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: ebtables: fix table blob use-after-free We are not allowed to return an error at this point. Looking at the code it looks like ret is always 0 at this point, but its not. t = find_table_lock(net, repl->name, &ret, &ebt_mutex); ... this can return a valid table, with ret != 0. This bug causes update of table->private with the new blob, but then frees the blob right away in the caller. Syzbot report: BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74 Workqueue: netns cleanup_net Call Trace: kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613 ... ip(6)tables appears to be ok (ret should be 0 at this point) but make this more obvious.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9060abce3305ab235…
	https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb…
	https://git.kernel.org/stable/c/3dd6ac973351308d4…
	https://git.kernel.org/stable/c/cda0e0243bd3c0400…
	https://git.kernel.org/stable/c/e58a171d35e32e6e8…

Impacted products

Vendor

Product

Version

Linux

Affected: c58dd2dd443c26d856a168db108a0cd11c285bf3 , < 9060abce3305ab2354c892c09d5689df51486df5 (git)
Affected: c58dd2dd443c26d856a168db108a0cd11c285bf3 , < dbb3cbbf03b3c52cb390fabec357f1e4638004f5 (git)
Affected: c58dd2dd443c26d856a168db108a0cd11c285bf3 , < 3dd6ac973351308d4117eda32298a9f1d68764fd (git)
Affected: c58dd2dd443c26d856a168db108a0cd11c285bf3 , < cda0e0243bd3c04008fcd37a46b0269fb3c49249 (git)
Affected: c58dd2dd443c26d856a168db108a0cd11c285bf3 , < e58a171d35e32e6e8c37cfe0e8a94406732a331f (git)
Affected: a3bc0f8ea439762aa62d40a295157410498cbea7 (git)
Affected: 8ed40c122919cd79bc3c059e5864e5e7d9d455f0 (git)
Affected: c5e4ef499cfc78de45a4f01b8c557b5964d77c53 (git)
Affected: f34728610b2a8c7b9864f9404f2884c17f6fca5c (git)
Affected: 8b5740915a9faa8b1fa9166193a33e2a9ae30ec6 (git)

Linux

Affected: 3.15
Unaffected: 0 , < 3.15 (semver)
Unaffected: 5.10.173 , ≤ 5.10.* (semver)
Unaffected: 5.15.100 , ≤ 5.15.* (semver)
Unaffected: 6.1.18 , ≤ 6.1.* (semver)
Unaffected: 6.2.5 , ≤ 6.2.* (semver)
Unaffected: 6.3 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/netfilter/ebtables.c",
            "net/ipv4/netfilter/ip_tables.c",
            "net/ipv6/netfilter/ip6_tables.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9060abce3305ab2354c892c09d5689df51486df5",
              "status": "affected",
              "version": "c58dd2dd443c26d856a168db108a0cd11c285bf3",
              "versionType": "git"
            },
            {
              "lessThan": "dbb3cbbf03b3c52cb390fabec357f1e4638004f5",
              "status": "affected",
              "version": "c58dd2dd443c26d856a168db108a0cd11c285bf3",
              "versionType": "git"
            },
            {
              "lessThan": "3dd6ac973351308d4117eda32298a9f1d68764fd",
              "status": "affected",
              "version": "c58dd2dd443c26d856a168db108a0cd11c285bf3",
              "versionType": "git"
            },
            {
              "lessThan": "cda0e0243bd3c04008fcd37a46b0269fb3c49249",
              "status": "affected",
              "version": "c58dd2dd443c26d856a168db108a0cd11c285bf3",
              "versionType": "git"
            },
            {
              "lessThan": "e58a171d35e32e6e8c37cfe0e8a94406732a331f",
              "status": "affected",
              "version": "c58dd2dd443c26d856a168db108a0cd11c285bf3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a3bc0f8ea439762aa62d40a295157410498cbea7",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8ed40c122919cd79bc3c059e5864e5e7d9d455f0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c5e4ef499cfc78de45a4f01b8c557b5964d77c53",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f34728610b2a8c7b9864f9404f2884c17f6fca5c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8b5740915a9faa8b1fa9166193a33e2a9ae30ec6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/netfilter/ebtables.c",
            "net/ipv4/netfilter/ip_tables.c",
            "net/ipv6/netfilter/ip6_tables.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.15"
            },
            {
              "lessThan": "3.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.173",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.173",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.100",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.18",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.5",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.60",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.4.91",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.41",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.21",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ebtables: fix table blob use-after-free\n\nWe are not allowed to return an error at this point.\nLooking at the code it looks like ret is always 0 at this\npoint, but its not.\n\nt = find_table_lock(net, repl-\u003ename, \u0026ret, \u0026ebt_mutex);\n\n... this can return a valid table, with ret != 0.\n\nThis bug causes update of table-\u003eprivate with the new\nblob, but then frees the blob right away in the caller.\n\nSyzbot report:\n\nBUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\nRead of size 4 at addr ffffc90005425000 by task kworker/u4:4/74\nWorkqueue: netns cleanup_net\nCall Trace:\n kasan_report+0xbf/0x1f0 mm/kasan/report.c:517\n __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168\n ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372\n ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169\n cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613\n...\n\nip(6)tables appears to be ok (ret should be 0 at this point) but make\nthis more obvious."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:11:31.180Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9060abce3305ab2354c892c09d5689df51486df5"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb390fabec357f1e4638004f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/3dd6ac973351308d4117eda32298a9f1d68764fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/cda0e0243bd3c04008fcd37a46b0269fb3c49249"
        },
        {
          "url": "https://git.kernel.org/stable/c/e58a171d35e32e6e8c37cfe0e8a94406732a331f"
        }
      ],
      "title": "netfilter: ebtables: fix table blob use-after-free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54243",
    "datePublished": "2025-12-30T12:11:31.180Z",
    "dateReserved": "2025-12-30T12:06:44.510Z",
    "dateUpdated": "2025-12-30T12:11:31.180Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40289 (GCVE-0-2025-40289)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-20 08:51

Title

drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/39a1c8c860e32d775…
	https://git.kernel.org/stable/c/a67a9f99ce1306898…
	https://git.kernel.org/stable/c/33cc891b56b93cad1…

Impacted products

Vendor

Product

Version

Linux

Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 39a1c8c860e32d775f29917939e87b6a7c08ebb1 (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < a67a9f99ce1306898d7129a199d42876bc06a0f0 (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 33cc891b56b93cad1a83263eaf2e417436f70c82 (git)

Linux

Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "39a1c8c860e32d775f29917939e87b6a7c08ebb1",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "a67a9f99ce1306898d7129a199d42876bc06a0f0",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "33cc891b56b93cad1a83263eaf2e417436f70c82",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_vram_mgr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM\n\nOtherwise accessing them can cause a crash."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:51:56.224Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/39a1c8c860e32d775f29917939e87b6a7c08ebb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a67a9f99ce1306898d7129a199d42876bc06a0f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/33cc891b56b93cad1a83263eaf2e417436f70c82"
        }
      ],
      "title": "drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40289",
    "datePublished": "2025-12-06T21:51:15.555Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-20T08:51:56.224Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-54168 (GCVE-0-2023-54168)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08

Title

RDMA/mlx4: Prevent shift wrapping in set_user_sq_size()

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() The ucmd->log_sq_bb_count variable is controlled by the user so this shift can wrap. Fix it by using check_shl_overflow() in the same way that it was done in commit 515f60004ed9 ("RDMA/hns: Prevent undefined behavior in hns_roce_set_user_sq_size()").

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3d5ae269c4bd392ec…
	https://git.kernel.org/stable/c/8feca625900777e02…
	https://git.kernel.org/stable/c/9ad3221c86cc9c630…
	https://git.kernel.org/stable/c/9911be2155720221a…
	https://git.kernel.org/stable/c/3ce0df3493277b9df…
	https://git.kernel.org/stable/c/196a6df08b08699ac…
	https://git.kernel.org/stable/c/a183905869e692b6b…
	https://git.kernel.org/stable/c/d50b3c73f1ac20dab…

Impacted products

Vendor

Product

Version

Linux

Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < 3d5ae269c4bd392ec1edbfb3bd031b8f42d7feff (git)
Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < 8feca625900777e02a449e53fe4121339934c38a (git)
Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < 9ad3221c86cc9c6305594b742d4a72dfbd4ea579 (git)
Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < 9911be2155720221a4f1f722b22bd0e2388d8bcf (git)
Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < 3ce0df3493277b9df275cb8455d9c677ae701230 (git)
Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < 196a6df08b08699ace4ce70e1efcdd9081b6565f (git)
Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < a183905869e692b6b7805b7472235585eff8e429 (git)
Affected: 839041329fd3410e07d614f81e75bb43367d8f89 , < d50b3c73f1ac20dabc53dc6e9d64ce9c79a331eb (git)

Linux

Affected: 2.6.24
Unaffected: 0 , < 2.6.24 (semver)
Unaffected: 4.19.283 , ≤ 4.19.* (semver)
Unaffected: 5.4.243 , ≤ 5.4.* (semver)
Unaffected: 5.10.180 , ≤ 5.10.* (semver)
Unaffected: 5.15.111 , ≤ 5.15.* (semver)
Unaffected: 6.1.28 , ≤ 6.1.* (semver)
Unaffected: 6.2.15 , ≤ 6.2.* (semver)
Unaffected: 6.3.2 , ≤ 6.3.* (semver)
Unaffected: 6.4 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx4/qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3d5ae269c4bd392ec1edbfb3bd031b8f42d7feff",
              "status": "affected",
              "version": "839041329fd3410e07d614f81e75bb43367d8f89",
              "versionType": "git"
            },
            {
              "lessThan": "8feca625900777e02a449e53fe4121339934c38a",
              "status": "affected",
              "version": "839041329fd3410e07d614f81e75bb43367d8f89",
              "versionType": "git"
            },
            {
              "lessThan": "9ad3221c86cc9c6305594b742d4a72dfbd4ea579",
              "status": "affected",
              "version": "839041329fd3410e07d614f81e75bb43367d8f89",
              "versionType": "git"
            },
            {
              "lessThan": "9911be2155720221a4f1f722b22bd0e2388d8bcf",
              "status": "affected",
              "version": "839041329fd3410e07d614f81e75bb43367d8f89",
              "versionType": "git"
            },
            {
              "lessThan": "3ce0df3493277b9df275cb8455d9c677ae701230",
              "status": "affected",
              "version": "839041329fd3410e07d614f81e75bb43367d8f89",
              "versionType": "git"
            },
            {
              "lessThan": "196a6df08b08699ace4ce70e1efcdd9081b6565f",
              "status": "affected",
              "version": "839041329fd3410e07d614f81e75bb43367d8f89",
              "versionType": "git"
            },
            {
              "lessThan": "a183905869e692b6b7805b7472235585eff8e429",
              "status": "affected",
              "version": "839041329fd3410e07d614f81e75bb43367d8f89",
              "versionType": "git"
            },
            {
              "lessThan": "d50b3c73f1ac20dabc53dc6e9d64ce9c79a331eb",
              "status": "affected",
              "version": "839041329fd3410e07d614f81e75bb43367d8f89",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx4/qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.24"
            },
            {
              "lessThan": "2.6.24",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.283",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.111",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.28",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.283",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.243",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.180",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.111",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.28",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.15",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.2",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4",
                  "versionStartIncluding": "2.6.24",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx4: Prevent shift wrapping in set_user_sq_size()\n\nThe ucmd-\u003elog_sq_bb_count variable is controlled by the user so this\nshift can wrap.  Fix it by using check_shl_overflow() in the same way\nthat it was done in commit 515f60004ed9 (\"RDMA/hns: Prevent undefined\nbehavior in hns_roce_set_user_sq_size()\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:08:43.394Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3d5ae269c4bd392ec1edbfb3bd031b8f42d7feff"
        },
        {
          "url": "https://git.kernel.org/stable/c/8feca625900777e02a449e53fe4121339934c38a"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ad3221c86cc9c6305594b742d4a72dfbd4ea579"
        },
        {
          "url": "https://git.kernel.org/stable/c/9911be2155720221a4f1f722b22bd0e2388d8bcf"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ce0df3493277b9df275cb8455d9c677ae701230"
        },
        {
          "url": "https://git.kernel.org/stable/c/196a6df08b08699ace4ce70e1efcdd9081b6565f"
        },
        {
          "url": "https://git.kernel.org/stable/c/a183905869e692b6b7805b7472235585eff8e429"
        },
        {
          "url": "https://git.kernel.org/stable/c/d50b3c73f1ac20dabc53dc6e9d64ce9c79a331eb"
        }
      ],
      "title": "RDMA/mlx4: Prevent shift wrapping in set_user_sq_size()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54168",
    "datePublished": "2025-12-30T12:08:43.394Z",
    "dateReserved": "2025-12-30T12:06:44.495Z",
    "dateUpdated": "2025-12-30T12:08:43.394Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50756 (GCVE-0-2022-50756)

Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05

Title

nvme-pci: fix mempool alloc size

Summary

In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix mempool alloc size Convert the max size to bytes to match the units of the divisor that calculates the worst-case number of PRP entries. The result is used to determine how many PRP Lists are required. The code was previously rounding this to 1 list, but we can require 2 in the worst case. In that scenario, the driver would corrupt memory beyond the size provided by the mempool. While unlikely to occur (you'd need a 4MB in exactly 127 phys segments on a queue that doesn't support SGLs), this memory corruption has been observed by kfence.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dfb6d54893d544151…
	https://git.kernel.org/stable/c/9141144b37f30e3e7…
	https://git.kernel.org/stable/c/e1777b4286e526c58…
	https://git.kernel.org/stable/c/b1814724e0d7162bd…
	https://git.kernel.org/stable/c/c89a529e823d51dd2…

Impacted products

Vendor

Product

Version

Linux

Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < dfb6d54893d544151e7f480bc44cfe7823f5ad23 (git)
Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < 9141144b37f30e3e7fa024bcfa0a13011e546ba9 (git)
Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < e1777b4286e526c58b4ee699344b0ad85aaf83a0 (git)
Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < b1814724e0d7162bdf4799f2d565381bc2251c63 (git)
Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < c89a529e823d51dd23c7ec0c047c7a454a428541 (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.87 , ≤ 5.15.* (semver)
Unaffected: 6.0.17 , ≤ 6.0.* (semver)
Unaffected: 6.1.3 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dfb6d54893d544151e7f480bc44cfe7823f5ad23",
              "status": "affected",
              "version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
              "versionType": "git"
            },
            {
              "lessThan": "9141144b37f30e3e7fa024bcfa0a13011e546ba9",
              "status": "affected",
              "version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
              "versionType": "git"
            },
            {
              "lessThan": "e1777b4286e526c58b4ee699344b0ad85aaf83a0",
              "status": "affected",
              "version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
              "versionType": "git"
            },
            {
              "lessThan": "b1814724e0d7162bdf4799f2d565381bc2251c63",
              "status": "affected",
              "version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
              "versionType": "git"
            },
            {
              "lessThan": "c89a529e823d51dd23c7ec0c047c7a454a428541",
              "status": "affected",
              "version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.17",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.3",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: fix mempool alloc size\n\nConvert the max size to bytes to match the units of the divisor that\ncalculates the worst-case number of PRP entries.\n\nThe result is used to determine how many PRP Lists are required. The\ncode was previously rounding this to 1 list, but we can require 2 in the\nworst case. In that scenario, the driver would corrupt memory beyond the\nsize provided by the mempool.\n\nWhile unlikely to occur (you\u0027d need a 4MB in exactly 127 phys segments\non a queue that doesn\u0027t support SGLs), this memory corruption has been\nobserved by kfence."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T13:05:49.635Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dfb6d54893d544151e7f480bc44cfe7823f5ad23"
        },
        {
          "url": "https://git.kernel.org/stable/c/9141144b37f30e3e7fa024bcfa0a13011e546ba9"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1777b4286e526c58b4ee699344b0ad85aaf83a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1814724e0d7162bdf4799f2d565381bc2251c63"
        },
        {
          "url": "https://git.kernel.org/stable/c/c89a529e823d51dd23c7ec0c047c7a454a428541"
        }
      ],
      "title": "nvme-pci: fix mempool alloc size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50756",
    "datePublished": "2025-12-24T13:05:49.635Z",
    "dateReserved": "2025-12-24T13:02:21.545Z",
    "dateUpdated": "2025-12-24T13:05:49.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40320 (GCVE-0-2025-40320)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

smb: client: fix potential cfid UAF in smb2_query_info_compound

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: <TASK> smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/939c4e33005e2a56e…
	https://git.kernel.org/stable/c/327f89c21601ebb78…
	https://git.kernel.org/stable/c/b556c278d43f4707a…
	https://git.kernel.org/stable/c/5c76f9961c170552c…

Impacted products

Vendor

Product

Version

Linux

Affected: 433042a91f9373241307725b52de573933ffedbf , < 939c4e33005e2a56ea8fcedddf0da92df864bd3b (git)
Affected: 4f1fffa2376922f3d1d506e49c0fd445b023a28e , < 327f89c21601ebb7889f8c97754b76f08ce95a0c (git)
Affected: 4f1fffa2376922f3d1d506e49c0fd445b023a28e , < b556c278d43f4707a9073ca74d55581b4f279806 (git)
Affected: 4f1fffa2376922f3d1d506e49c0fd445b023a28e , < 5c76f9961c170552c1d07c830b5e145475151600 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "939c4e33005e2a56ea8fcedddf0da92df864bd3b",
              "status": "affected",
              "version": "433042a91f9373241307725b52de573933ffedbf",
              "versionType": "git"
            },
            {
              "lessThan": "327f89c21601ebb7889f8c97754b76f08ce95a0c",
              "status": "affected",
              "version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
              "versionType": "git"
            },
            {
              "lessThan": "b556c278d43f4707a9073ca74d55581b4f279806",
              "status": "affected",
              "version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
              "versionType": "git"
            },
            {
              "lessThan": "5c76f9961c170552c1d07c830b5e145475151600",
              "status": "affected",
              "version": "4f1fffa2376922f3d1d506e49c0fd445b023a28e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/smb2ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential cfid UAF in smb2_query_info_compound\n\nWhen smb2_query_info_compound() retries, a previously allocated cfid may\nhave been freed in the first attempt.\nBecause cfid wasn\u0027t reset on replay, later cleanup could act on a stale\npointer, leading to a potential use-after-free.\n\nReinitialize cfid to NULL under the replay label.\n\nExample trace (trimmed):\n\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110\n[...]\nRIP: 0010:refcount_warn_saturate+0x9c/0x110\n[...]\nCall Trace:\n \u003cTASK\u003e\n smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n ? step_into+0x10d/0x690\n ? __legitimize_path+0x28/0x60\n smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n ? kmem_cache_alloc+0x18a/0x340\n ? getname_flags+0x46/0x1e0\n cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f]\n statfs_by_dentry+0x67/0x90\n vfs_statfs+0x16/0xd0\n user_statfs+0x54/0xa0\n __do_sys_statfs+0x20/0x50\n do_syscall_64+0x58/0x80"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:47.670Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/939c4e33005e2a56ea8fcedddf0da92df864bd3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/327f89c21601ebb7889f8c97754b76f08ce95a0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b556c278d43f4707a9073ca74d55581b4f279806"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c76f9961c170552c1d07c830b5e145475151600"
        }
      ],
      "title": "smb: client: fix potential cfid UAF in smb2_query_info_compound",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40320",
    "datePublished": "2025-12-08T00:46:47.670Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2025-12-08T00:46:47.670Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68184 (GCVE-0-2025-68184)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2025-12-16 13:43

Title

drm/mediatek: Disable AFBC support on Mediatek DRM driver

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Disable AFBC support on Mediatek DRM driver Commit c410fa9b07c3 ("drm/mediatek: Add AFBC support to Mediatek DRM driver") added AFBC support to Mediatek DRM and enabled the 32x8/split/sparse modifier. However, this is currently broken on Mediatek MT8188 (Genio 700 EVK platform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by default since Mesa v25.0. Kernel trace reports vblank timeouts constantly, and the render is garbled: ``` [CRTC:62:crtc-0] vblank wait timed out WARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c [...] Hardware name: MediaTek Genio-700 EVK (DT) Workqueue: events_unbound commit_work pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c lr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c sp : ffff80008337bca0 x29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000 x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000 x23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80 x20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000 x14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b x11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70 x8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70 x5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480 Call trace: drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P) drm_atomic_helper_commit_tail_rpm+0x64/0x80 commit_tail+0xa4/0x1a4 commit_work+0x14/0x20 process_one_work+0x150/0x290 worker_thread+0x2d0/0x3ec kthread+0x12c/0x210 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ``` Until this gets fixed upstream, disable AFBC support on this platform, as it's currently broken with upstream Mesa.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/df1ad5de2197ea1b5…
	https://git.kernel.org/stable/c/0eaa0a3dfe218c4cf…
	https://git.kernel.org/stable/c/72223700b620885d5…
	https://git.kernel.org/stable/c/9882a40640036d5bb…

Impacted products

Vendor

Product

Version

Linux

Affected: c410fa9b07c32cc69968ec83a148366d16c76dc4 , < df1ad5de2197ea1b527d13ae7b699e9ee7d724d4 (git)
Affected: c410fa9b07c32cc69968ec83a148366d16c76dc4 , < 0eaa0a3dfe218c4cf1a0782ccbbc9e3931718f17 (git)
Affected: c410fa9b07c32cc69968ec83a148366d16c76dc4 , < 72223700b620885d556a4c52a63f5294316176c6 (git)
Affected: c410fa9b07c32cc69968ec83a148366d16c76dc4 , < 9882a40640036d5bbc590426a78981526d4f2345 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/mediatek/mtk_plane.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "df1ad5de2197ea1b527d13ae7b699e9ee7d724d4",
              "status": "affected",
              "version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
              "versionType": "git"
            },
            {
              "lessThan": "0eaa0a3dfe218c4cf1a0782ccbbc9e3931718f17",
              "status": "affected",
              "version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
              "versionType": "git"
            },
            {
              "lessThan": "72223700b620885d556a4c52a63f5294316176c6",
              "status": "affected",
              "version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
              "versionType": "git"
            },
            {
              "lessThan": "9882a40640036d5bbc590426a78981526d4f2345",
              "status": "affected",
              "version": "c410fa9b07c32cc69968ec83a148366d16c76dc4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/mediatek/mtk_plane.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Disable AFBC support on Mediatek DRM driver\n\nCommit c410fa9b07c3 (\"drm/mediatek: Add AFBC support to Mediatek DRM\ndriver\") added AFBC support to Mediatek DRM and enabled the\n32x8/split/sparse modifier.\n\nHowever, this is currently broken on Mediatek MT8188 (Genio 700 EVK\nplatform); tested using upstream Kernel and Mesa (v25.2.1), AFBC is used by\ndefault since Mesa v25.0.\n\nKernel trace reports vblank timeouts constantly, and the render is garbled:\n\n```\n[CRTC:62:crtc-0] vblank wait timed out\nWARNING: CPU: 7 PID: 70 at drivers/gpu/drm/drm_atomic_helper.c:1835 drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\n[...]\nHardware name: MediaTek Genio-700 EVK (DT)\nWorkqueue: events_unbound commit_work\npstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\nlr : drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c\nsp : ffff80008337bca0\nx29: ffff80008337bcd0 x28: 0000000000000061 x27: 0000000000000000\nx26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c9dcc000\nx23: 0000000000000001 x22: 0000000000000000 x21: ffff0000c66f2f80\nx20: ffff0000c0d7d880 x19: 0000000000000000 x18: 000000000000000a\nx17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000000\nx14: 0000000000000000 x13: 74756f2064656d69 x12: 742074696177206b\nx11: 0000000000000058 x10: 0000000000000018 x9 : ffff800082396a70\nx8 : 0000000000057fa8 x7 : 0000000000000cce x6 : ffff8000823eea70\nx5 : ffff0001fef5f408 x4 : ffff80017ccee000 x3 : ffff0000c12cb480\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c12cb480\nCall trace:\n drm_atomic_helper_wait_for_vblanks.part.0+0x24c/0x27c (P)\n drm_atomic_helper_commit_tail_rpm+0x64/0x80\n commit_tail+0xa4/0x1a4\n commit_work+0x14/0x20\n process_one_work+0x150/0x290\n worker_thread+0x2d0/0x3ec\n kthread+0x12c/0x210\n ret_from_fork+0x10/0x20\n---[ end trace 0000000000000000 ]---\n```\n\nUntil this gets fixed upstream, disable AFBC support on this platform, as\nit\u0027s currently broken with upstream Mesa."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:43:02.010Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/df1ad5de2197ea1b527d13ae7b699e9ee7d724d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0eaa0a3dfe218c4cf1a0782ccbbc9e3931718f17"
        },
        {
          "url": "https://git.kernel.org/stable/c/72223700b620885d556a4c52a63f5294316176c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/9882a40640036d5bbc590426a78981526d4f2345"
        }
      ],
      "title": "drm/mediatek: Disable AFBC support on Mediatek DRM driver",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68184",
    "datePublished": "2025-12-16T13:43:02.010Z",
    "dateReserved": "2025-12-16T13:41:40.252Z",
    "dateUpdated": "2025-12-16T13:43:02.010Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40273 (GCVE-0-2025-40273)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2025-12-06 21:50

Title

NFSD: free copynotify stateid in nfs4_free_ol_stateid()

Summary

In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/935a2dc8928670bb2…
	https://git.kernel.org/stable/c/b114996a095da39e3…
	https://git.kernel.org/stable/c/839f56f626723f369…
	https://git.kernel.org/stable/c/29fbb3ad4018ca2b0…
	https://git.kernel.org/stable/c/d7be15a634aa38748…
	https://git.kernel.org/stable/c/f67ad9b33b0e6f00d…
	https://git.kernel.org/stable/c/4aa17144d5abc3c75…

Impacted products

Vendor

Product

Version

Linux

Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 935a2dc8928670bb2c37e21025331e61ec48ccf4 (git)
Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < b114996a095da39e38410a0328d4a8aca8c36088 (git)
Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 839f56f626723f36904764858467e7a3881b975d (git)
Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66 (git)
Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < d7be15a634aa3874827d0d3ea47452ee878b8df7 (git)
Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb (git)
Affected: 624322f1adc58acd0b69f77a6ddc764207e97241 , < 4aa17144d5abc3c756883e3a010246f0dba8b468 (git)

Linux

Affected: 5.6
Unaffected: 0 , < 5.6 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "935a2dc8928670bb2c37e21025331e61ec48ccf4",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "b114996a095da39e38410a0328d4a8aca8c36088",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "839f56f626723f36904764858467e7a3881b975d",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "d7be15a634aa3874827d0d3ea47452ee878b8df7",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            },
            {
              "lessThan": "4aa17144d5abc3c756883e3a010246f0dba8b468",
              "status": "affected",
              "version": "624322f1adc58acd0b69f77a6ddc764207e97241",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4state.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: free copynotify stateid in nfs4_free_ol_stateid()\n\nTypically copynotify stateid is freed either when parent\u0027s stateid\nis being close/freed or in nfsd4_laundromat if the stateid hasn\u0027t\nbeen used in a lease period.\n\nHowever, in case when the server got an OPEN (which created\na parent stateid), followed by a COPY_NOTIFY using that stateid,\nfollowed by a client reboot. New client instance while doing\nCREATE_SESSION would force expire previous state of this client.\nIt leads to the open state being freed thru release_openowner-\u003e\nnfs4_free_ol_stateid() and it finds that it still has copynotify\nstateid associated with it. We currently print a warning and is\ntriggerred\n\nWARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd]\n\nThis patch, instead, frees the associated copynotify stateid here.\n\nIf the parent stateid is freed (without freeing the copynotify\nstateids associated with it), it leads to the list corruption\nwhen laundromat ends up freeing the copynotify state later.\n\n[ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP\n[ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink\n[ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G    B   W           6.17.0-rc7+ #22 PREEMPT(voluntary)\n[ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN\n[ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024\n[ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd]\n[ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200\n[ 1626.861182] sp : ffff8000881d7a40\n[ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200\n[ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20\n[ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8\n[ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000\n[ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065\n[ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3\n[ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000\n[ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001\n[ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000\n[ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d\n[ 1626.868167] Call trace:\n[ 1626.868382]  __list_del_entry_valid_or_report+0x148/0x200 (P)\n[ 1626.868876]  _free_cpntf_state_locked+0xd0/0x268 [nfsd]\n[ 1626.869368]  nfs4_laundromat+0x6f8/0x1058 [nfsd]\n[ 1626.869813]  laundromat_main+0x24/0x60 [nfsd]\n[ 1626.870231]  process_one_work+0x584/0x1050\n[ 1626.870595]  worker_thread+0x4c4/0xc60\n[ 1626.870893]  kthread+0x2f8/0x398\n[ 1626.871146]  ret_from_fork+0x10/0x20\n[ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000)\n[ 1626.871892] SMP: stopping secondary CPUs"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:50:55.723Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/935a2dc8928670bb2c37e21025331e61ec48ccf4"
        },
        {
          "url": "https://git.kernel.org/stable/c/b114996a095da39e38410a0328d4a8aca8c36088"
        },
        {
          "url": "https://git.kernel.org/stable/c/839f56f626723f36904764858467e7a3881b975d"
        },
        {
          "url": "https://git.kernel.org/stable/c/29fbb3ad4018ca2b0988fbac76f4c694cc6d7e66"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7be15a634aa3874827d0d3ea47452ee878b8df7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f67ad9b33b0e6f00d2acc67cbf9cfa5c756be5fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/4aa17144d5abc3c756883e3a010246f0dba8b468"
        }
      ],
      "title": "NFSD: free copynotify stateid in nfs4_free_ol_stateid()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40273",
    "datePublished": "2025-12-06T21:50:55.723Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2025-12-06T21:50:55.723Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40304 (GCVE-0-2025-40304)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33

Title

fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/996bfaa7372d6718b…
	https://git.kernel.org/stable/c/f0982400648a3e005…
	https://git.kernel.org/stable/c/1943b69e87b0ab350…
	https://git.kernel.org/stable/c/ebc0730b490c7f273…
	https://git.kernel.org/stable/c/86df8ade88d290725…
	https://git.kernel.org/stable/c/15ba9acafb0517f83…
	https://git.kernel.org/stable/c/2d1359e11674ed427…
	https://git.kernel.org/stable/c/3637d34b35b287ab8…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 996bfaa7372d6718b6d860bdf78f6618e850c702 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f0982400648a3e00580253e0c48e991f34d2684c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ebc0730b490c7f27340b1222e01dd106e820320d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 86df8ade88d290725554cefd03101ecd0fbd3752 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 15ba9acafb0517f8359ca30002c189a68ddbb939 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2d1359e11674ed4274934eac8a71877ae5ae7bbb (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3637d34b35b287ab830e66048841ace404382b67 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/bitblit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "996bfaa7372d6718b6d860bdf78f6618e850c702",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f0982400648a3e00580253e0c48e991f34d2684c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ebc0730b490c7f27340b1222e01dd106e820320d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "86df8ade88d290725554cefd03101ecd0fbd3752",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "15ba9acafb0517f8359ca30002c189a68ddbb939",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "2d1359e11674ed4274934eac8a71877ae5ae7bbb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3637d34b35b287ab830e66048841ace404382b67",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/bitblit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds\n\nAdd bounds checking to prevent writes past framebuffer boundaries when\nrendering text near screen edges. Return early if the Y position is off-screen\nand clip image height to screen boundary. Break from the rendering loop if the\nX position is off-screen. When clipping image width to fit the screen, update\nthe character count to match the clipped width to prevent buffer size\nmismatches.\n\nWithout the character count update, bit_putcs_aligned and bit_putcs_unaligned\nreceive mismatched parameters where the buffer is allocated for the clipped\nwidth but cnt reflects the original larger count, causing out-of-bounds writes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:26.347Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/996bfaa7372d6718b6d860bdf78f6618e850c702"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0982400648a3e00580253e0c48e991f34d2684c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1943b69e87b0ab35032d47de0a7fca9a3d1d6fc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebc0730b490c7f27340b1222e01dd106e820320d"
        },
        {
          "url": "https://git.kernel.org/stable/c/86df8ade88d290725554cefd03101ecd0fbd3752"
        },
        {
          "url": "https://git.kernel.org/stable/c/15ba9acafb0517f8359ca30002c189a68ddbb939"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d1359e11674ed4274934eac8a71877ae5ae7bbb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3637d34b35b287ab830e66048841ace404382b67"
        }
      ],
      "title": "fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40304",
    "datePublished": "2025-12-08T00:46:29.013Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2026-01-02T15:33:26.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68202 (GCVE-0-2025-68202)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48

Title

sched_ext: Fix unsafe locking in the scx_dump_state()

Summary

In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix unsafe locking in the scx_dump_state() For built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted sleepable spinlock and not disable-irq, so the following scenarios occur: inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. irq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes: (&rq->__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40 {IN-HARDIRQ-W} state was registered at: lock_acquire+0x1e1/0x510 _raw_spin_lock_nested+0x42/0x80 raw_spin_rq_lock_nested+0x2b/0x40 sched_tick+0xae/0x7b0 update_process_times+0x14c/0x1b0 tick_periodic+0x62/0x1f0 tick_handle_periodic+0x48/0xf0 timer_interrupt+0x55/0x80 __handle_irq_event_percpu+0x20a/0x5c0 handle_irq_event_percpu+0x18/0xc0 handle_irq_event+0xb5/0x150 handle_level_irq+0x220/0x460 __common_interrupt+0xa2/0x1e0 common_interrupt+0xb0/0xd0 asm_common_interrupt+0x2b/0x40 _raw_spin_unlock_irqrestore+0x45/0x80 __setup_irq+0xc34/0x1a30 request_threaded_irq+0x214/0x2f0 hpet_time_init+0x3e/0x60 x86_late_time_init+0x5b/0xb0 start_kernel+0x308/0x410 x86_64_start_reservations+0x1c/0x30 x86_64_start_kernel+0x96/0xa0 common_startup_64+0x13e/0x148 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&rq->__lock); <Interrupt> lock(&rq->__lock); *** DEADLOCK *** stack backtrace: CPU: 0 UID: 0 PID: 27 Comm: irq_work/0 Call Trace: <TASK> dump_stack_lvl+0x8c/0xd0 dump_stack+0x14/0x20 print_usage_bug+0x42e/0x690 mark_lock.part.44+0x867/0xa70 ? __pfx_mark_lock.part.44+0x10/0x10 ? string_nocheck+0x19c/0x310 ? number+0x739/0x9f0 ? __pfx_string_nocheck+0x10/0x10 ? __pfx_check_pointer+0x10/0x10 ? kvm_sched_clock_read+0x15/0x30 ? sched_clock_noinstr+0xd/0x20 ? local_clock_noinstr+0x1c/0xe0 __lock_acquire+0xc4b/0x62b0 ? __pfx_format_decode+0x10/0x10 ? __pfx_string+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 lock_acquire+0x1e1/0x510 ? raw_spin_rq_lock_nested+0x2b/0x40 ? __pfx_lock_acquire+0x10/0x10 ? dump_line+0x12e/0x270 ? raw_spin_rq_lock_nested+0x20/0x40 _raw_spin_lock_nested+0x42/0x80 ? raw_spin_rq_lock_nested+0x2b/0x40 raw_spin_rq_lock_nested+0x2b/0x40 scx_dump_state+0x3b3/0x1270 ? finish_task_switch+0x27e/0x840 scx_ops_error_irq_workfn+0x67/0x80 irq_work_single+0x113/0x260 irq_work_run_list.part.3+0x44/0x70 run_irq_workd+0x6b/0x90 ? __pfx_run_irq_workd+0x10/0x10 smpboot_thread_fn+0x529/0x870 ? __pfx_smpboot_thread_fn+0x10/0x10 kthread+0x305/0x3f0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x40/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> This commit therefore use rq_lock_irqsave/irqrestore() to replace rq_lock/unlock() in the scx_dump_state().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/13d1c96d3a9f208bc…
	https://git.kernel.org/stable/c/b6109750063d3b9ac…
	https://git.kernel.org/stable/c/5f02151c411dda46e…

Impacted products

Vendor

Product

Version

Linux

Affected: 07814a9439a3b03d79a1001614b5bc1cab69bcec , < 13d1c96d3a9f208bc1aa8642f6362dca25a157d2 (git)
Affected: 07814a9439a3b03d79a1001614b5bc1cab69bcec , < b6109750063d3b9aca1c57031213ac5485a06c54 (git)
Affected: 07814a9439a3b03d79a1001614b5bc1cab69bcec , < 5f02151c411dda46efcc5dc57b0845efcdcfc26d (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/ext.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "13d1c96d3a9f208bc1aa8642f6362dca25a157d2",
              "status": "affected",
              "version": "07814a9439a3b03d79a1001614b5bc1cab69bcec",
              "versionType": "git"
            },
            {
              "lessThan": "b6109750063d3b9aca1c57031213ac5485a06c54",
              "status": "affected",
              "version": "07814a9439a3b03d79a1001614b5bc1cab69bcec",
              "versionType": "git"
            },
            {
              "lessThan": "5f02151c411dda46efcc5dc57b0845efcdcfc26d",
              "status": "affected",
              "version": "07814a9439a3b03d79a1001614b5bc1cab69bcec",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/ext.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix unsafe locking in the scx_dump_state()\n\nFor built with CONFIG_PREEMPT_RT=y kernels, the dump_lock will be converted\nsleepable spinlock and not disable-irq, so the following scenarios occur:\n\ninconsistent {IN-HARDIRQ-W} -\u003e {HARDIRQ-ON-W} usage.\nirq_work/0/27 [HC0[0]:SC0[0]:HE1:SE1] takes:\n(\u0026rq-\u003e__lock){?...}-{2:2}, at: raw_spin_rq_lock_nested+0x2b/0x40\n{IN-HARDIRQ-W} state was registered at:\n   lock_acquire+0x1e1/0x510\n   _raw_spin_lock_nested+0x42/0x80\n   raw_spin_rq_lock_nested+0x2b/0x40\n   sched_tick+0xae/0x7b0\n   update_process_times+0x14c/0x1b0\n   tick_periodic+0x62/0x1f0\n   tick_handle_periodic+0x48/0xf0\n   timer_interrupt+0x55/0x80\n   __handle_irq_event_percpu+0x20a/0x5c0\n   handle_irq_event_percpu+0x18/0xc0\n   handle_irq_event+0xb5/0x150\n   handle_level_irq+0x220/0x460\n   __common_interrupt+0xa2/0x1e0\n   common_interrupt+0xb0/0xd0\n   asm_common_interrupt+0x2b/0x40\n   _raw_spin_unlock_irqrestore+0x45/0x80\n   __setup_irq+0xc34/0x1a30\n   request_threaded_irq+0x214/0x2f0\n   hpet_time_init+0x3e/0x60\n   x86_late_time_init+0x5b/0xb0\n   start_kernel+0x308/0x410\n   x86_64_start_reservations+0x1c/0x30\n   x86_64_start_kernel+0x96/0xa0\n   common_startup_64+0x13e/0x148\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n        CPU0\n        ----\n   lock(\u0026rq-\u003e__lock);\n   \u003cInterrupt\u003e\n     lock(\u0026rq-\u003e__lock);\n\n  *** DEADLOCK ***\n\n stack backtrace:\n CPU: 0 UID: 0 PID: 27 Comm: irq_work/0\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x8c/0xd0\n  dump_stack+0x14/0x20\n  print_usage_bug+0x42e/0x690\n  mark_lock.part.44+0x867/0xa70\n  ? __pfx_mark_lock.part.44+0x10/0x10\n  ? string_nocheck+0x19c/0x310\n  ? number+0x739/0x9f0\n  ? __pfx_string_nocheck+0x10/0x10\n  ? __pfx_check_pointer+0x10/0x10\n  ? kvm_sched_clock_read+0x15/0x30\n  ? sched_clock_noinstr+0xd/0x20\n  ? local_clock_noinstr+0x1c/0xe0\n  __lock_acquire+0xc4b/0x62b0\n  ? __pfx_format_decode+0x10/0x10\n  ? __pfx_string+0x10/0x10\n  ? __pfx___lock_acquire+0x10/0x10\n  ? __pfx_vsnprintf+0x10/0x10\n  lock_acquire+0x1e1/0x510\n  ? raw_spin_rq_lock_nested+0x2b/0x40\n  ? __pfx_lock_acquire+0x10/0x10\n  ? dump_line+0x12e/0x270\n  ? raw_spin_rq_lock_nested+0x20/0x40\n  _raw_spin_lock_nested+0x42/0x80\n  ? raw_spin_rq_lock_nested+0x2b/0x40\n  raw_spin_rq_lock_nested+0x2b/0x40\n  scx_dump_state+0x3b3/0x1270\n  ? finish_task_switch+0x27e/0x840\n  scx_ops_error_irq_workfn+0x67/0x80\n  irq_work_single+0x113/0x260\n  irq_work_run_list.part.3+0x44/0x70\n  run_irq_workd+0x6b/0x90\n  ? __pfx_run_irq_workd+0x10/0x10\n  smpboot_thread_fn+0x529/0x870\n  ? __pfx_smpboot_thread_fn+0x10/0x10\n  kthread+0x305/0x3f0\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork+0x40/0x70\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork_asm+0x1a/0x30\n  \u003c/TASK\u003e\n\nThis commit therefore use rq_lock_irqsave/irqrestore() to replace\nrq_lock/unlock() in the scx_dump_state()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:48:30.376Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/13d1c96d3a9f208bc1aa8642f6362dca25a157d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6109750063d3b9aca1c57031213ac5485a06c54"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f02151c411dda46efcc5dc57b0845efcdcfc26d"
        }
      ],
      "title": "sched_ext: Fix unsafe locking in the scx_dump_state()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68202",
    "datePublished": "2025-12-16T13:48:30.376Z",
    "dateReserved": "2025-12-16T13:41:40.255Z",
    "dateUpdated": "2025-12-16T13:48:30.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40280 (GCVE-0-2025-40280)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51

Title

tipc: Fix use-after-free in tipc_mon_reinit_self().

Summary

In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5f541300b02ef8b2a…
	https://git.kernel.org/stable/c/b2e77c789c234e7fe…
	https://git.kernel.org/stable/c/51b8f0ab888f8aa5d…
	https://git.kernel.org/stable/c/499b5fa78d525c445…
	https://git.kernel.org/stable/c/c92dbf85627b5c29e…
	https://git.kernel.org/stable/c/f0104977fed25ebe0…
	https://git.kernel.org/stable/c/fdf7c4c9af4f24632…
	https://git.kernel.org/stable/c/0725e6afb55128be2…

Impacted products

Vendor

Product

Version

Linux

Affected: 28845c28f842e9e55e75b2c116bff714bb039055 , < 5f541300b02ef8b2af34f6f7d41ce617f3571e88 (git)
Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < b2e77c789c234e7fe49057d2ced8f32e2d2c7901 (git)
Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 51b8f0ab888f8aa5dfac954918864eeda8c12c19 (git)
Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 499b5fa78d525c4450ebb76db83207db71efea77 (git)
Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < c92dbf85627b5c29e52d9c120a24e785801716df (git)
Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < f0104977fed25ebe001fd63dab2b6b7fefad3373 (git)
Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < fdf7c4c9af4f246323ce854e84b6aec198d49f7e (git)
Affected: 46cb01eeeb86fca6afe24dda1167b0cb95424e29 , < 0725e6afb55128be21a2ca36e9674f573ccec173 (git)
Affected: 295c9b554f6dfcd2d368fae6e6fa22ee5b79c123 (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/tipc/net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5f541300b02ef8b2af34f6f7d41ce617f3571e88",
              "status": "affected",
              "version": "28845c28f842e9e55e75b2c116bff714bb039055",
              "versionType": "git"
            },
            {
              "lessThan": "b2e77c789c234e7fe49057d2ced8f32e2d2c7901",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "51b8f0ab888f8aa5dfac954918864eeda8c12c19",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "499b5fa78d525c4450ebb76db83207db71efea77",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "c92dbf85627b5c29e52d9c120a24e785801716df",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "f0104977fed25ebe001fd63dab2b6b7fefad3373",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "fdf7c4c9af4f246323ce854e84b6aec198d49f7e",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "lessThan": "0725e6afb55128be21a2ca36e9674f573ccec173",
              "status": "affected",
              "version": "46cb01eeeb86fca6afe24dda1167b0cb95424e29",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "295c9b554f6dfcd2d368fae6e6fa22ee5b79c123",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/tipc/net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "5.4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.99",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Fix use-after-free in tipc_mon_reinit_self().\n\nsyzbot reported use-after-free of tipc_net(net)-\u003emonitors[]\nin tipc_mon_reinit_self(). [0]\n\nThe array is protected by RTNL, but tipc_mon_reinit_self()\niterates over it without RTNL.\n\ntipc_mon_reinit_self() is called from tipc_net_finalize(),\nwhich is always under RTNL except for tipc_net_finalize_work().\n\nLet\u0027s hold RTNL in tipc_net_finalize_work().\n\n[0]:\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\nRead of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989\n\nCPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)}\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nWorkqueue: events tipc_net_finalize_work\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xca/0x240 mm/kasan/report.c:482\n kasan_report+0x118/0x150 mm/kasan/report.c:595\n __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568\n kasan_check_byte include/linux/kasan.h:399 [inline]\n lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162\n rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline]\n rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline]\n rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244\n rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243\n write_lock_bh include/linux/rwlock_rt.h:99 [inline]\n tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718\n tipc_net_finalize+0x115/0x190 net/tipc/net.c:140\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319\n worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400\n kthread+0x70e/0x8a0 kernel/kthread.c:463\n ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 6089:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3e/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407\n kmalloc_noprof include/linux/slab.h:905 [inline]\n kzalloc_noprof include/linux/slab.h:1039 [inline]\n tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657\n tipc_enable_bearer net/tipc/bearer.c:357 [inline]\n __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047\n __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline]\n tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393\n tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline]\n tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321\n genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346\n netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896\n sock_sendmsg_nosec net/socket.c:714 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:729\n ____sys_sendmsg+0x508/0x820 net/socket.c:2614\n ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668\n __sys_sendmsg net/socket.c:2700 [inline]\n __do_sys_sendmsg net/socket.c:2705 [inline]\n __se_sys_sendmsg net/socket.c:2703 [inline]\n __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xfa/0x3b0 arch/\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:51:04.091Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5f541300b02ef8b2af34f6f7d41ce617f3571e88"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2e77c789c234e7fe49057d2ced8f32e2d2c7901"
        },
        {
          "url": "https://git.kernel.org/stable/c/51b8f0ab888f8aa5dfac954918864eeda8c12c19"
        },
        {
          "url": "https://git.kernel.org/stable/c/499b5fa78d525c4450ebb76db83207db71efea77"
        },
        {
          "url": "https://git.kernel.org/stable/c/c92dbf85627b5c29e52d9c120a24e785801716df"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0104977fed25ebe001fd63dab2b6b7fefad3373"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdf7c4c9af4f246323ce854e84b6aec198d49f7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0725e6afb55128be21a2ca36e9674f573ccec173"
        }
      ],
      "title": "tipc: Fix use-after-free in tipc_mon_reinit_self().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40280",
    "datePublished": "2025-12-06T21:51:04.091Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-06T21:51:04.091Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68344 (GCVE-0-2025-68344)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-19 12:18

Title

ALSA: wavefront: Fix integer overflow in sample size validation

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: wavefront: Fix integer overflow in sample size validation The wavefront_send_sample() function has an integer overflow issue when validating sample size. The header->size field is u32 but gets cast to int for comparison with dev->freemem Fix by using unsigned comparison to avoid integer overflow.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/488bf86d60077f528…
	https://git.kernel.org/stable/c/d2f5d8cf1eadb7b33…
	https://git.kernel.org/stable/c/4f811071e702fbb74…
	https://git.kernel.org/stable/c/02b63f3bc29265bd9…
	https://git.kernel.org/stable/c/5588b7c86effffa9b…
	https://git.kernel.org/stable/c/bca11de0a277b8bae…
	https://git.kernel.org/stable/c/1823e08f76c68b9e1…
	https://git.kernel.org/stable/c/0c4a13ba88594fd4a…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 488bf86d60077f52810c60dbdf7468c277880167 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d2f5d8cf1eadb7b33e476f59aa9c6653e4f2b937 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4f811071e702fbb74933526e2fbadf8c4ed0c0c4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 02b63f3bc29265bd9e83191792d200ed563acacf (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5588b7c86effffa9bb55383a38800649d7b40778 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bca11de0a277b8baeb7d006f93b543c907b6e782 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1823e08f76c68b9e1d26f6d5ef831b96f61a62a0 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0c4a13ba88594fd4a27292853e736c6b4349823d (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/isa/wavefront/wavefront_synth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "488bf86d60077f52810c60dbdf7468c277880167",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d2f5d8cf1eadb7b33e476f59aa9c6653e4f2b937",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4f811071e702fbb74933526e2fbadf8c4ed0c0c4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "02b63f3bc29265bd9e83191792d200ed563acacf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5588b7c86effffa9bb55383a38800649d7b40778",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bca11de0a277b8baeb7d006f93b543c907b6e782",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1823e08f76c68b9e1d26f6d5ef831b96f61a62a0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0c4a13ba88594fd4a27292853e736c6b4349823d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/isa/wavefront/wavefront_synth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: wavefront: Fix integer overflow in sample size validation\n\nThe wavefront_send_sample() function has an integer overflow issue\nwhen validating sample size. The header-\u003esize field is u32 but gets\ncast to int for comparison with dev-\u003efreemem\n\nFix by using unsigned comparison to avoid integer overflow."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:23.739Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/488bf86d60077f52810c60dbdf7468c277880167"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2f5d8cf1eadb7b33e476f59aa9c6653e4f2b937"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f811071e702fbb74933526e2fbadf8c4ed0c0c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/02b63f3bc29265bd9e83191792d200ed563acacf"
        },
        {
          "url": "https://git.kernel.org/stable/c/5588b7c86effffa9bb55383a38800649d7b40778"
        },
        {
          "url": "https://git.kernel.org/stable/c/bca11de0a277b8baeb7d006f93b543c907b6e782"
        },
        {
          "url": "https://git.kernel.org/stable/c/1823e08f76c68b9e1d26f6d5ef831b96f61a62a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c4a13ba88594fd4a27292853e736c6b4349823d"
        }
      ],
      "title": "ALSA: wavefront: Fix integer overflow in sample size validation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68344",
    "datePublished": "2025-12-24T10:32:37.615Z",
    "dateReserved": "2025-12-16T14:48:05.299Z",
    "dateUpdated": "2026-01-19T12:18:23.739Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21718 (GCVE-0-2025-21718)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-11-03 19:36

Title

net: rose: fix timer races against user threads

Summary

In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check and rearm the timers if needed. BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 call_timer_fn+0x187/0x650 kernel/time/timer.c:1793 expire_timers kernel/time/timer.c:1844 [inline] __run_timers kernel/time/timer.c:2418 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430 run_timer_base kernel/time/timer.c:2439 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449 handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 __do_softirq kernel/softirq.c:595 [inline] invoke_softirq kernel/softirq.c:435 [inline] __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 </IRQ>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/52f5aff33ca73b2c2…
	https://git.kernel.org/stable/c/0d5bca3be27bfcf8f…
	https://git.kernel.org/stable/c/1409b45d4690308c5…
	https://git.kernel.org/stable/c/f55c88e3ca5939a6a…
	https://git.kernel.org/stable/c/51c128ba038cf1b79…
	https://git.kernel.org/stable/c/1992fb261c90e9827…
	https://git.kernel.org/stable/c/58051a284ac18a3bb…
	https://git.kernel.org/stable/c/5de7665e0a0746b5a…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 52f5aff33ca73b2c2fa93f40a3de308012e63cf4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0d5bca3be27bfcf8f980f2fed49b6cbb7dafe4a1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1409b45d4690308c502c6caf22f01c3c205b4717 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f55c88e3ca5939a6a8a329024aed8f3d98eea8e4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 51c128ba038cf1b79d605cbee325919b45ab95a5 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1992fb261c90e9827cf5dc3115d89bb0853252c9 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 58051a284ac18a3bb815aac6289a679903ddcc3f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5de7665e0a0746b5ad7943554b34db8f8614a196 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:36:13.575Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rose/rose_timer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "52f5aff33ca73b2c2fa93f40a3de308012e63cf4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0d5bca3be27bfcf8f980f2fed49b6cbb7dafe4a1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1409b45d4690308c502c6caf22f01c3c205b4717",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f55c88e3ca5939a6a8a329024aed8f3d98eea8e4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "51c128ba038cf1b79d605cbee325919b45ab95a5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1992fb261c90e9827cf5dc3115d89bb0853252c9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "58051a284ac18a3bb815aac6289a679903ddcc3f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5de7665e0a0746b5ad7943554b34db8f8614a196",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rose/rose_timer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix timer races against user threads\n\nRose timers only acquire the socket spinlock, without\nchecking if the socket is owned by one user thread.\n\nAdd a check and rearm the timers if needed.\n\nBUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174\nRead of size 2 at addr ffff88802f09b82a by task swapper/0/0\n\nCPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n \u003cIRQ\u003e\n  __dump_stack lib/dump_stack.c:94 [inline]\n  dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n  print_address_description mm/kasan/report.c:378 [inline]\n  print_report+0x169/0x550 mm/kasan/report.c:489\n  kasan_report+0x143/0x180 mm/kasan/report.c:602\n  rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174\n  call_timer_fn+0x187/0x650 kernel/time/timer.c:1793\n  expire_timers kernel/time/timer.c:1844 [inline]\n  __run_timers kernel/time/timer.c:2418 [inline]\n  __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430\n  run_timer_base kernel/time/timer.c:2439 [inline]\n  run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449\n  handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561\n  __do_softirq kernel/softirq.c:595 [inline]\n  invoke_softirq kernel/softirq.c:435 [inline]\n  __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662\n  irq_exit_rcu+0x9/0x30 kernel/softirq.c:678\n  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]\n  sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049\n \u003c/IRQ\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:42.210Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/52f5aff33ca73b2c2fa93f40a3de308012e63cf4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d5bca3be27bfcf8f980f2fed49b6cbb7dafe4a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1409b45d4690308c502c6caf22f01c3c205b4717"
        },
        {
          "url": "https://git.kernel.org/stable/c/f55c88e3ca5939a6a8a329024aed8f3d98eea8e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/51c128ba038cf1b79d605cbee325919b45ab95a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1992fb261c90e9827cf5dc3115d89bb0853252c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/58051a284ac18a3bb815aac6289a679903ddcc3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5de7665e0a0746b5ad7943554b34db8f8614a196"
        }
      ],
      "title": "net: rose: fix timer races against user threads",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21718",
    "datePublished": "2025-02-27T02:07:27.971Z",
    "dateReserved": "2024-12-29T08:45:45.753Z",
    "dateUpdated": "2025-11-03T19:36:13.575Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40329 (GCVE-0-2025-40329)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09

Title

drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] <Interrupt> [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/70150b9443dddf021…
	https://git.kernel.org/stable/c/0d63031ee4a57be02…
	https://git.kernel.org/stable/c/3e8ada4fd838e3fd2…
	https://git.kernel.org/stable/c/487df8b698345dd5a…

Impacted products

Vendor

Product

Version

Linux

Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 70150b9443dddf02157d821c68abf438f55a2e8e (git)
Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 0d63031ee4a57be0252cb9a4e09ae921c75cece9 (git)
Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 3e8ada4fd838e3fd2cca94000dac054f3a347c01 (git)
Affected: 2fdb8a8f07c2f1353770a324fd19b8114e4329ac , < 487df8b698345dd5a91346335f05170ed5f29d4e (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/scheduler/sched_entity.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "70150b9443dddf02157d821c68abf438f55a2e8e",
              "status": "affected",
              "version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
              "versionType": "git"
            },
            {
              "lessThan": "0d63031ee4a57be0252cb9a4e09ae921c75cece9",
              "status": "affected",
              "version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
              "versionType": "git"
            },
            {
              "lessThan": "3e8ada4fd838e3fd2cca94000dac054f3a347c01",
              "status": "affected",
              "version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
              "versionType": "git"
            },
            {
              "lessThan": "487df8b698345dd5a91346335f05170ed5f29d4e",
              "status": "affected",
              "version": "2fdb8a8f07c2f1353770a324fd19b8114e4329ac",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/scheduler/sched_entity.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb\n\nThe Mesa issue referenced below pointed out a possible deadlock:\n\n[ 1231.611031]  Possible interrupt unsafe locking scenario:\n\n[ 1231.611033]        CPU0                    CPU1\n[ 1231.611034]        ----                    ----\n[ 1231.611035]   lock(\u0026xa-\u003exa_lock#17);\n[ 1231.611038]                                local_irq_disable();\n[ 1231.611039]                                lock(\u0026fence-\u003elock);\n[ 1231.611041]                                lock(\u0026xa-\u003exa_lock#17);\n[ 1231.611044]   \u003cInterrupt\u003e\n[ 1231.611045]     lock(\u0026fence-\u003elock);\n[ 1231.611047]\n                *** DEADLOCK ***\n\nIn this example, CPU0 would be any function accessing job-\u003edependencies\nthrough the xa_* functions that don\u0027t disable interrupts (eg:\ndrm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()).\n\nCPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling\ncallback so in an interrupt context. It will deadlock when trying to\ngrab the xa_lock which is already held by CPU0.\n\nReplacing all xa_* usage by their xa_*_irq counterparts would fix\nthis issue, but Christian pointed out another issue: dma_fence_signal\ntakes fence.lock and so does dma_fence_add_callback.\n\n  dma_fence_signal() // locks f1.lock\n  -\u003e drm_sched_entity_kill_jobs_cb()\n  -\u003e foreach dependencies\n     -\u003e dma_fence_add_callback() // locks f2.lock\n\nThis will deadlock if f1 and f2 share the same spinlock.\n\nTo fix both issues, the code iterating on dependencies and re-arming them\nis moved out to drm_sched_entity_kill_jobs_work().\n\n[phasta: commit message nits]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T04:09:46.156Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/70150b9443dddf02157d821c68abf438f55a2e8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d63031ee4a57be0252cb9a4e09ae921c75cece9"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e8ada4fd838e3fd2cca94000dac054f3a347c01"
        },
        {
          "url": "https://git.kernel.org/stable/c/487df8b698345dd5a91346335f05170ed5f29d4e"
        }
      ],
      "title": "drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40329",
    "datePublished": "2025-12-09T04:09:46.156Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2025-12-09T04:09:46.156Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68354 (GCVE-0-2025-68354)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-19 12:18

Title

regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex

Summary

In the Linux kernel, the following vulnerability has been resolved: regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex regulator_supply_alias_list was accessed without any locking in regulator_supply_alias(), regulator_register_supply_alias(), and regulator_unregister_supply_alias(). Concurrent registration, unregistration and lookups can race, leading to: 1 use-after-free if an alias entry is removed while being read, 2 duplicate entries when two threads register the same alias, 3 inconsistent alias mappings observed by consumers. Protect all traversals, insertions and deletions on regulator_supply_alias_list with the existing regulator_list_mutex.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e1587064137028e7e…
	https://git.kernel.org/stable/c/9d041a7ba13f21adf…
	https://git.kernel.org/stable/c/a63fbc07d1b34a982…
	https://git.kernel.org/stable/c/09811a83b214cc155…
	https://git.kernel.org/stable/c/a9864d42ebcdd394e…
	https://git.kernel.org/stable/c/431a1d44ad4866362…
	https://git.kernel.org/stable/c/64099b5c0aeb70bc7…
	https://git.kernel.org/stable/c/0cc15a10c3b4ab14c…

Impacted products

Vendor

Product

Version

Linux

Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < e1587064137028e7edcca14fb766b68d27bec94b (git)
Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 9d041a7ba13f21adfac052eb3fda1df62f2166c1 (git)
Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61 (git)
Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 09811a83b214cc15521e0d818e43ae9043e9a28d (git)
Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < a9864d42ebcdd394ebb864643b961b36e7b515be (git)
Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 431a1d44ad4866362cc28fc1cc4ca93d84989239 (git)
Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf (git)
Affected: a06ccd9c3785fa5550917ae036944f4e080b5749 , < 0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d (git)

Linux

Affected: 3.13
Unaffected: 0 , < 3.13 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/regulator/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e1587064137028e7edcca14fb766b68d27bec94b",
              "status": "affected",
              "version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
              "versionType": "git"
            },
            {
              "lessThan": "9d041a7ba13f21adfac052eb3fda1df62f2166c1",
              "status": "affected",
              "version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
              "versionType": "git"
            },
            {
              "lessThan": "a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61",
              "status": "affected",
              "version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
              "versionType": "git"
            },
            {
              "lessThan": "09811a83b214cc15521e0d818e43ae9043e9a28d",
              "status": "affected",
              "version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
              "versionType": "git"
            },
            {
              "lessThan": "a9864d42ebcdd394ebb864643b961b36e7b515be",
              "status": "affected",
              "version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
              "versionType": "git"
            },
            {
              "lessThan": "431a1d44ad4866362cc28fc1cc4ca93d84989239",
              "status": "affected",
              "version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
              "versionType": "git"
            },
            {
              "lessThan": "64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf",
              "status": "affected",
              "version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
              "versionType": "git"
            },
            {
              "lessThan": "0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d",
              "status": "affected",
              "version": "a06ccd9c3785fa5550917ae036944f4e080b5749",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/regulator/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregulator: core: Protect regulator_supply_alias_list with regulator_list_mutex\n\nregulator_supply_alias_list was accessed without any locking in\nregulator_supply_alias(), regulator_register_supply_alias(), and\nregulator_unregister_supply_alias(). Concurrent registration,\nunregistration and lookups can race, leading to:\n\n1 use-after-free if an alias entry is removed while being read,\n2 duplicate entries when two threads register the same alias,\n3 inconsistent alias mappings observed by consumers.\n\nProtect all traversals, insertions and deletions on\nregulator_supply_alias_list with the existing regulator_list_mutex."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:27.299Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e1587064137028e7edcca14fb766b68d27bec94b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d041a7ba13f21adfac052eb3fda1df62f2166c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a63fbc07d1b34a9821ea3b31ff4e6456f9d0aa61"
        },
        {
          "url": "https://git.kernel.org/stable/c/09811a83b214cc15521e0d818e43ae9043e9a28d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9864d42ebcdd394ebb864643b961b36e7b515be"
        },
        {
          "url": "https://git.kernel.org/stable/c/431a1d44ad4866362cc28fc1cc4ca93d84989239"
        },
        {
          "url": "https://git.kernel.org/stable/c/64099b5c0aeb70bc7cd5556eb7f59c5b4a5010bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d"
        }
      ],
      "title": "regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68354",
    "datePublished": "2025-12-24T10:32:44.840Z",
    "dateReserved": "2025-12-16T14:48:05.300Z",
    "dateUpdated": "2026-01-19T12:18:27.299Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68732 (GCVE-0-2025-68732)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-19 12:18

Title

gpu: host1x: Fix race in syncpt alloc/free

Summary

In the Linux kernel, the following vulnerability has been resolved: gpu: host1x: Fix race in syncpt alloc/free Fix race condition between host1x_syncpt_alloc() and host1x_syncpt_put() by using kref_put_mutex() instead of kref_put() + manual mutex locking. This ensures no thread can acquire the syncpt_mutex after the refcount drops to zero but before syncpt_release acquires it. This prevents races where syncpoints could be allocated while still being cleaned up from a previous release. Remove explicit mutex locking in syncpt_release as kref_put_mutex() handles this atomically.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ca9388fba50dac2eb…
	https://git.kernel.org/stable/c/4aeaece518fa4436a…
	https://git.kernel.org/stable/c/6245cce711e2cdb2c…
	https://git.kernel.org/stable/c/4e6e07ce0197aecfb…
	https://git.kernel.org/stable/c/d138f73ffb0c57ded…
	https://git.kernel.org/stable/c/79197c6007f2afbfd…
	https://git.kernel.org/stable/c/c7d393267c497502f…

Impacted products

Vendor

Product

Version

Linux

Affected: f5ba33fb9690566c382624637125827b5512e766 , < ca9388fba50dac2eb71c13702b7022a801bef90e (git)
Affected: f5ba33fb9690566c382624637125827b5512e766 , < 4aeaece518fa4436af93d1d8b786200d9656ff4b (git)
Affected: f5ba33fb9690566c382624637125827b5512e766 , < 6245cce711e2cdb2cc75c0bb8632952e36f8c972 (git)
Affected: f5ba33fb9690566c382624637125827b5512e766 , < 4e6e07ce0197aecfb6c4a62862acc93b3efedeb7 (git)
Affected: f5ba33fb9690566c382624637125827b5512e766 , < d138f73ffb0c57ded473c577719e6e551b7b1f27 (git)
Affected: f5ba33fb9690566c382624637125827b5512e766 , < 79197c6007f2afbfd7bcf5b9b80ccabf8483d774 (git)
Affected: f5ba33fb9690566c382624637125827b5512e766 , < c7d393267c497502fa737607f435f05dfe6e3d9b (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/host1x/syncpt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca9388fba50dac2eb71c13702b7022a801bef90e",
              "status": "affected",
              "version": "f5ba33fb9690566c382624637125827b5512e766",
              "versionType": "git"
            },
            {
              "lessThan": "4aeaece518fa4436af93d1d8b786200d9656ff4b",
              "status": "affected",
              "version": "f5ba33fb9690566c382624637125827b5512e766",
              "versionType": "git"
            },
            {
              "lessThan": "6245cce711e2cdb2cc75c0bb8632952e36f8c972",
              "status": "affected",
              "version": "f5ba33fb9690566c382624637125827b5512e766",
              "versionType": "git"
            },
            {
              "lessThan": "4e6e07ce0197aecfb6c4a62862acc93b3efedeb7",
              "status": "affected",
              "version": "f5ba33fb9690566c382624637125827b5512e766",
              "versionType": "git"
            },
            {
              "lessThan": "d138f73ffb0c57ded473c577719e6e551b7b1f27",
              "status": "affected",
              "version": "f5ba33fb9690566c382624637125827b5512e766",
              "versionType": "git"
            },
            {
              "lessThan": "79197c6007f2afbfd7bcf5b9b80ccabf8483d774",
              "status": "affected",
              "version": "f5ba33fb9690566c382624637125827b5512e766",
              "versionType": "git"
            },
            {
              "lessThan": "c7d393267c497502fa737607f435f05dfe6e3d9b",
              "status": "affected",
              "version": "f5ba33fb9690566c382624637125827b5512e766",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/host1x/syncpt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpu: host1x: Fix race in syncpt alloc/free\n\nFix race condition between host1x_syncpt_alloc()\nand host1x_syncpt_put() by using kref_put_mutex()\ninstead of kref_put() + manual mutex locking.\n\nThis ensures no thread can acquire the\nsyncpt_mutex after the refcount drops to zero\nbut before syncpt_release acquires it.\nThis prevents races where syncpoints could\nbe allocated while still being cleaned up\nfrom a previous release.\n\nRemove explicit mutex locking in syncpt_release\nas kref_put_mutex() handles this atomically."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:39.034Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca9388fba50dac2eb71c13702b7022a801bef90e"
        },
        {
          "url": "https://git.kernel.org/stable/c/4aeaece518fa4436af93d1d8b786200d9656ff4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6245cce711e2cdb2cc75c0bb8632952e36f8c972"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e6e07ce0197aecfb6c4a62862acc93b3efedeb7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d138f73ffb0c57ded473c577719e6e551b7b1f27"
        },
        {
          "url": "https://git.kernel.org/stable/c/79197c6007f2afbfd7bcf5b9b80ccabf8483d774"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7d393267c497502fa737607f435f05dfe6e3d9b"
        }
      ],
      "title": "gpu: host1x: Fix race in syncpt alloc/free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68732",
    "datePublished": "2025-12-24T10:33:14.664Z",
    "dateReserved": "2025-12-24T10:30:51.028Z",
    "dateUpdated": "2026-01-19T12:18:39.034Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-54242 (GCVE-0-2023-54242)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2026-01-05 11:36

Title

block, bfq: Fix division by zero error on zero wsum

Summary

In the Linux kernel, the following vulnerability has been resolved: block, bfq: Fix division by zero error on zero wsum When the weighted sum is zero the calculation of limit causes a division by zero error. Fix this by continuing to the next level. This was discovered by running as root: stress-ng --ioprio 0 Fixes divison by error oops: [ 521.450556] divide error: 0000 [#1] SMP NOPTI [ 521.450766] CPU: 2 PID: 2684464 Comm: stress-ng-iopri Not tainted 6.2.1-1280.native #1 [ 521.451117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 [ 521.451627] RIP: 0010:bfqq_request_over_limit+0x207/0x400 [ 521.451875] Code: 01 48 8d 0c c8 74 0b 48 8b 82 98 00 00 00 48 8d 0c c8 8b 85 34 ff ff ff 48 89 ca 41 0f af 41 50 48 d1 ea 48 98 48 01 d0 31 d2 <48> f7 f1 41 39 41 48 89 85 34 ff ff ff 0f 8c 7b 01 00 00 49 8b 44 [ 521.452699] RSP: 0018:ffffb1af84eb3948 EFLAGS: 00010046 [ 521.452938] RAX: 000000000000003c RBX: 0000000000000000 RCX: 0000000000000000 [ 521.453262] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb1af84eb3978 [ 521.453584] RBP: ffffb1af84eb3a30 R08: 0000000000000001 R09: ffff8f88ab8a4ba0 [ 521.453905] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f88ab8a4b18 [ 521.454224] R13: ffff8f8699093000 R14: 0000000000000001 R15: ffffb1af84eb3970 [ 521.454549] FS: 00005640b6b0b580(0000) GS:ffff8f88b3880000(0000) knlGS:0000000000000000 [ 521.454912] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 521.455170] CR2: 00007ffcbcae4e38 CR3: 00000002e46de001 CR4: 0000000000770ee0 [ 521.455491] PKRU: 55555554 [ 521.455619] Call Trace: [ 521.455736] <TASK> [ 521.455837] ? bfq_request_merge+0x3a/0xc0 [ 521.456027] ? elv_merge+0x115/0x140 [ 521.456191] bfq_limit_depth+0xc8/0x240 [ 521.456366] __blk_mq_alloc_requests+0x21a/0x2c0 [ 521.456577] blk_mq_submit_bio+0x23c/0x6c0 [ 521.456766] __submit_bio+0xb8/0x140 [ 521.457236] submit_bio_noacct_nocheck+0x212/0x300 [ 521.457748] submit_bio_noacct+0x1a6/0x580 [ 521.458220] submit_bio+0x43/0x80 [ 521.458660] ext4_io_submit+0x23/0x80 [ 521.459116] ext4_do_writepages+0x40a/0xd00 [ 521.459596] ext4_writepages+0x65/0x100 [ 521.460050] do_writepages+0xb7/0x1c0 [ 521.460492] __filemap_fdatawrite_range+0xa6/0x100 [ 521.460979] file_write_and_wait_range+0xbf/0x140 [ 521.461452] ext4_sync_file+0x105/0x340 [ 521.461882] __x64_sys_fsync+0x67/0x100 [ 521.462305] ? syscall_exit_to_user_mode+0x2c/0x1c0 [ 521.462768] do_syscall_64+0x3b/0xc0 [ 521.463165] entry_SYSCALL_64_after_hwframe+0x5a/0xc4 [ 521.463621] RIP: 0033:0x5640b6c56590 [ 521.464006] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 71 70 0e 00 00 74 17 b8 4a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1655cfc85250a224b…
	https://git.kernel.org/stable/c/c0346a59d71946124…
	https://git.kernel.org/stable/c/e53413f8deedf738a…

Impacted products

Vendor

Product

Version

Linux

Affected: 76f1df88bbc2f984eb0418cc90de0a8384e63604 , < 1655cfc85250a224b0d9486c8136baeea33b9b5c (git)
Affected: 76f1df88bbc2f984eb0418cc90de0a8384e63604 , < c0346a59d719461248c6dc6f21c9e55ef836b66f (git)
Affected: 76f1df88bbc2f984eb0418cc90de0a8384e63604 , < e53413f8deedf738a6782cc14cc00bd5852ccf18 (git)

Linux

Affected: 5.17
Unaffected: 0 , < 5.17 (semver)
Unaffected: 6.1.30 , ≤ 6.1.* (semver)
Unaffected: 6.3.4 , ≤ 6.3.* (semver)
Unaffected: 6.4 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1655cfc85250a224b0d9486c8136baeea33b9b5c",
              "status": "affected",
              "version": "76f1df88bbc2f984eb0418cc90de0a8384e63604",
              "versionType": "git"
            },
            {
              "lessThan": "c0346a59d719461248c6dc6f21c9e55ef836b66f",
              "status": "affected",
              "version": "76f1df88bbc2f984eb0418cc90de0a8384e63604",
              "versionType": "git"
            },
            {
              "lessThan": "e53413f8deedf738a6782cc14cc00bd5852ccf18",
              "status": "affected",
              "version": "76f1df88bbc2f984eb0418cc90de0a8384e63604",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/bfq-iosched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.30",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.4",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: Fix division by zero error on zero wsum\n\nWhen the weighted sum is zero the calculation of limit causes\na division by zero error. Fix this by continuing to the next level.\n\nThis was discovered by running as root:\n\nstress-ng --ioprio 0\n\nFixes divison by error oops:\n\n[  521.450556] divide error: 0000 [#1] SMP NOPTI\n[  521.450766] CPU: 2 PID: 2684464 Comm: stress-ng-iopri Not tainted 6.2.1-1280.native #1\n[  521.451117] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\n[  521.451627] RIP: 0010:bfqq_request_over_limit+0x207/0x400\n[  521.451875] Code: 01 48 8d 0c c8 74 0b 48 8b 82 98 00 00 00 48 8d 0c c8 8b 85 34 ff ff ff 48 89 ca 41 0f af 41 50 48 d1 ea 48 98 48 01 d0 31 d2 \u003c48\u003e f7 f1 41 39 41 48 89 85 34 ff ff ff 0f 8c 7b 01 00 00 49 8b 44\n[  521.452699] RSP: 0018:ffffb1af84eb3948 EFLAGS: 00010046\n[  521.452938] RAX: 000000000000003c RBX: 0000000000000000 RCX: 0000000000000000\n[  521.453262] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb1af84eb3978\n[  521.453584] RBP: ffffb1af84eb3a30 R08: 0000000000000001 R09: ffff8f88ab8a4ba0\n[  521.453905] R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f88ab8a4b18\n[  521.454224] R13: ffff8f8699093000 R14: 0000000000000001 R15: ffffb1af84eb3970\n[  521.454549] FS:  00005640b6b0b580(0000) GS:ffff8f88b3880000(0000) knlGS:0000000000000000\n[  521.454912] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  521.455170] CR2: 00007ffcbcae4e38 CR3: 00000002e46de001 CR4: 0000000000770ee0\n[  521.455491] PKRU: 55555554\n[  521.455619] Call Trace:\n[  521.455736]  \u003cTASK\u003e\n[  521.455837]  ? bfq_request_merge+0x3a/0xc0\n[  521.456027]  ? elv_merge+0x115/0x140\n[  521.456191]  bfq_limit_depth+0xc8/0x240\n[  521.456366]  __blk_mq_alloc_requests+0x21a/0x2c0\n[  521.456577]  blk_mq_submit_bio+0x23c/0x6c0\n[  521.456766]  __submit_bio+0xb8/0x140\n[  521.457236]  submit_bio_noacct_nocheck+0x212/0x300\n[  521.457748]  submit_bio_noacct+0x1a6/0x580\n[  521.458220]  submit_bio+0x43/0x80\n[  521.458660]  ext4_io_submit+0x23/0x80\n[  521.459116]  ext4_do_writepages+0x40a/0xd00\n[  521.459596]  ext4_writepages+0x65/0x100\n[  521.460050]  do_writepages+0xb7/0x1c0\n[  521.460492]  __filemap_fdatawrite_range+0xa6/0x100\n[  521.460979]  file_write_and_wait_range+0xbf/0x140\n[  521.461452]  ext4_sync_file+0x105/0x340\n[  521.461882]  __x64_sys_fsync+0x67/0x100\n[  521.462305]  ? syscall_exit_to_user_mode+0x2c/0x1c0\n[  521.462768]  do_syscall_64+0x3b/0xc0\n[  521.463165]  entry_SYSCALL_64_after_hwframe+0x5a/0xc4\n[  521.463621] RIP: 0033:0x5640b6c56590\n[  521.464006] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 71 70 0e 00 00 74 17 b8 4a 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T11:36:58.701Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1655cfc85250a224b0d9486c8136baeea33b9b5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0346a59d719461248c6dc6f21c9e55ef836b66f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e53413f8deedf738a6782cc14cc00bd5852ccf18"
        }
      ],
      "title": "block, bfq: Fix division by zero error on zero wsum",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54242",
    "datePublished": "2025-12-30T12:11:30.503Z",
    "dateReserved": "2025-12-30T12:06:44.510Z",
    "dateUpdated": "2026-01-05T11:36:58.701Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40274 (GCVE-0-2025-40274)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2025-12-06 21:50

Title

KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 </TASK> Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a8ac2bd0f98e1a230…
	https://git.kernel.org/stable/c/393893693a523e053…
	https://git.kernel.org/stable/c/ae431059e75d36170…

Impacted products

Vendor

Product

Version

Linux

Affected: a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < a8ac2bd0f98e1a230f1eb3260fa552bf2ef1753b (git)
Affected: a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < 393893693a523e053f84d69320d090b93503f79f (git)
Affected: a7800aa80ea4d5356b8474c2302812e9d4926fa6 , < ae431059e75d36170a5ae6b44cc4d06d43613215 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "virt/kvm/guest_memfd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a8ac2bd0f98e1a230f1eb3260fa552bf2ef1753b",
              "status": "affected",
              "version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
              "versionType": "git"
            },
            {
              "lessThan": "393893693a523e053f84d69320d090b93503f79f",
              "status": "affected",
              "version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
              "versionType": "git"
            },
            {
              "lessThan": "ae431059e75d36170a5ae6b44cc4d06d43613215",
              "status": "affected",
              "version": "a7800aa80ea4d5356b8474c2302812e9d4926fa6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "virt/kvm/guest_memfd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying\n\nWhen unbinding a memslot from a guest_memfd instance, remove the bindings\neven if the guest_memfd file is dying, i.e. even if its file refcount has\ngone to zero.  If the memslot is freed before the file is fully released,\nnullifying the memslot side of the binding in kvm_gmem_release() will\nwrite to freed memory, as detected by syzbot+KASAN:\n\n  ==================================================================\n  BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353\n  Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022\n\n  CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\n  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120\n   print_address_description mm/kasan/report.c:378 [inline]\n   print_report+0xca/0x240 mm/kasan/report.c:482\n   kasan_report+0x118/0x150 mm/kasan/report.c:595\n   kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353\n   __fput+0x44c/0xa70 fs/file_table.c:468\n   task_work_run+0x1d4/0x260 kernel/task_work.c:227\n   resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]\n   exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43\n   exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n   syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]\n   syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]\n   do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7fbeeff8efc9\n   \u003c/TASK\u003e\n\n  Allocated by task 6023:\n   kasan_save_stack mm/kasan/common.c:56 [inline]\n   kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n   poison_kmalloc_redzone mm/kasan/common.c:397 [inline]\n   __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414\n   kasan_kmalloc include/linux/kasan.h:262 [inline]\n   __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758\n   kmalloc_noprof include/linux/slab.h:957 [inline]\n   kzalloc_noprof include/linux/slab.h:1094 [inline]\n   kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104\n   kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154\n   kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:597 [inline]\n   __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n  Freed by task 6023:\n   kasan_save_stack mm/kasan/common.c:56 [inline]\n   kasan_save_track+0x3e/0x80 mm/kasan/common.c:77\n   kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584\n   poison_slab_object mm/kasan/common.c:252 [inline]\n   __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284\n   kasan_slab_free include/linux/kasan.h:234 [inline]\n   slab_free_hook mm/slub.c:2533 [inline]\n   slab_free mm/slub.c:6622 [inline]\n   kfree+0x19a/0x6d0 mm/slub.c:6829\n   kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130\n   kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154\n   kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201\n   vfs_ioctl fs/ioctl.c:51 [inline]\n   __do_sys_ioctl fs/ioctl.c:597 [inline]\n   __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nDeliberately don\u0027t acquire filemap invalid lock when the file is dying as\nthe lifecycle of f_mapping is outside the purview of KVM.  Dereferencing\nthe mapping is *probably* fine, but there\u0027s no need to invalidate anything\nas memslot deletion is responsible for zapping SPTEs, and the only code\nthat can access the dying file is kvm_gmem_release(), whose core code is\nmutual\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:50:56.832Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a8ac2bd0f98e1a230f1eb3260fa552bf2ef1753b"
        },
        {
          "url": "https://git.kernel.org/stable/c/393893693a523e053f84d69320d090b93503f79f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae431059e75d36170a5ae6b44cc4d06d43613215"
        }
      ],
      "title": "KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40274",
    "datePublished": "2025-12-06T21:50:56.832Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-06T21:50:56.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50623 (GCVE-0-2022-50623)

Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16

Title

fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()

Summary

In the Linux kernel, the following vulnerability has been resolved: fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() The "hdr.count * sizeof(s32)" multiplication can overflow on 32 bit systems leading to memory corruption. Use array_size() to fix that.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f59861946fa51bcc1…
	https://git.kernel.org/stable/c/b94605f5cb99e90c8…
	https://git.kernel.org/stable/c/1b5a931594f7ffd26…
	https://git.kernel.org/stable/c/940253af8b3865b76…
	https://git.kernel.org/stable/c/939bc5453b8cbdde9…

Impacted products

Vendor

Product

Version

Linux

Affected: 322b598be4d9b9090cda560c4caab78704615ab4 , < f59861946fa51bcc1f305809e4ebc1013b0ee61c (git)
Affected: 322b598be4d9b9090cda560c4caab78704615ab4 , < b94605f5cb99e90c8ca91523597a40e1bd59546b (git)
Affected: 322b598be4d9b9090cda560c4caab78704615ab4 , < 1b5a931594f7ffd26d706614c37d4da0f2ffb6e7 (git)
Affected: 322b598be4d9b9090cda560c4caab78704615ab4 , < 940253af8b3865b76de8d1b46bcd4a700104852e (git)
Affected: 322b598be4d9b9090cda560c4caab78704615ab4 , < 939bc5453b8cbdde9f1e5110ce8309aedb1b501a (git)

Linux

Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/fpga/dfl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f59861946fa51bcc1f305809e4ebc1013b0ee61c",
              "status": "affected",
              "version": "322b598be4d9b9090cda560c4caab78704615ab4",
              "versionType": "git"
            },
            {
              "lessThan": "b94605f5cb99e90c8ca91523597a40e1bd59546b",
              "status": "affected",
              "version": "322b598be4d9b9090cda560c4caab78704615ab4",
              "versionType": "git"
            },
            {
              "lessThan": "1b5a931594f7ffd26d706614c37d4da0f2ffb6e7",
              "status": "affected",
              "version": "322b598be4d9b9090cda560c4caab78704615ab4",
              "versionType": "git"
            },
            {
              "lessThan": "940253af8b3865b76de8d1b46bcd4a700104852e",
              "status": "affected",
              "version": "322b598be4d9b9090cda560c4caab78704615ab4",
              "versionType": "git"
            },
            {
              "lessThan": "939bc5453b8cbdde9f1e5110ce8309aedb1b501a",
              "status": "affected",
              "version": "322b598be4d9b9090cda560c4caab78704615ab4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/fpga/dfl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: prevent integer overflow in dfl_feature_ioctl_set_irq()\n\nThe \"hdr.count * sizeof(s32)\" multiplication can overflow on 32 bit\nsystems leading to memory corruption.  Use array_size() to fix that."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T01:16:37.086Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f59861946fa51bcc1f305809e4ebc1013b0ee61c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b94605f5cb99e90c8ca91523597a40e1bd59546b"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b5a931594f7ffd26d706614c37d4da0f2ffb6e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/940253af8b3865b76de8d1b46bcd4a700104852e"
        },
        {
          "url": "https://git.kernel.org/stable/c/939bc5453b8cbdde9f1e5110ce8309aedb1b501a"
        }
      ],
      "title": "fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50623",
    "datePublished": "2025-12-08T01:16:37.086Z",
    "dateReserved": "2025-12-08T01:14:55.190Z",
    "dateUpdated": "2025-12-08T01:16:37.086Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40284 (GCVE-0-2025-40284)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51

Title

Bluetooth: MGMT: cancel mesh send timer when hdev removed

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in "Mesh - Send cancel - 1" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/990e6143b0ca0c66f…
	https://git.kernel.org/stable/c/2927ff643607eddf4…
	https://git.kernel.org/stable/c/7b6b6c077cad0601d…
	https://git.kernel.org/stable/c/fd62ca5ad136dcf6f…
	https://git.kernel.org/stable/c/55fb52ffdd62850d6…

Impacted products

Vendor

Product

Version

Linux

Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 990e6143b0ca0c66f099d67d00c112bf59b30d76 (git)
Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 2927ff643607eddf4f03d10ef80fe10d977154aa (git)
Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b (git)
Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < fd62ca5ad136dcf6f5aa308423b299a6be6f54ea (git)
Affected: b338d91703fae6f6afd67f3f75caa3b8f36ddef3 , < 55fb52ffdd62850d667ebed842815e072d3c9961 (git)

Linux

Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "990e6143b0ca0c66f099d67d00c112bf59b30d76",
              "status": "affected",
              "version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
              "versionType": "git"
            },
            {
              "lessThan": "2927ff643607eddf4f03d10ef80fe10d977154aa",
              "status": "affected",
              "version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
              "versionType": "git"
            },
            {
              "lessThan": "7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b",
              "status": "affected",
              "version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
              "versionType": "git"
            },
            {
              "lessThan": "fd62ca5ad136dcf6f5aa308423b299a6be6f54ea",
              "status": "affected",
              "version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
              "versionType": "git"
            },
            {
              "lessThan": "55fb52ffdd62850d667ebed842815e072d3c9961",
              "status": "affected",
              "version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: cancel mesh send timer when hdev removed\n\nmesh_send_done timer is not canceled when hdev is removed, which causes\ncrash if the timer triggers after hdev is gone.\n\nCancel the timer when MGMT removes the hdev, like other MGMT timers.\n\nShould fix the BUG: sporadically seen by BlueZ test bot\n(in \"Mesh - Send cancel - 1\" test).\n\nLog:\n------\nBUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0\n...\nFreed by task 36:\n kasan_save_stack+0x24/0x50\n kasan_save_track+0x14/0x30\n __kasan_save_free_info+0x3a/0x60\n __kasan_slab_free+0x43/0x70\n kfree+0x103/0x500\n device_release+0x9a/0x210\n kobject_put+0x100/0x1e0\n vhci_release+0x18b/0x240\n------"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:51:08.488Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/990e6143b0ca0c66f099d67d00c112bf59b30d76"
        },
        {
          "url": "https://git.kernel.org/stable/c/2927ff643607eddf4f03d10ef80fe10d977154aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b6b6c077cad0601d62c3c34ab7ce3fb25deda7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/fd62ca5ad136dcf6f5aa308423b299a6be6f54ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/55fb52ffdd62850d667ebed842815e072d3c9961"
        }
      ],
      "title": "Bluetooth: MGMT: cancel mesh send timer when hdev removed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40284",
    "datePublished": "2025-12-06T21:51:08.488Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-06T21:51:08.488Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68759 (GCVE-0-2025-68759)

Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-19 12:18

Title

wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA allocations in a loop. When an allocation fails, the previously successful allocations are not freed on exit. Fix that by jumping to err_free_rings label on error, which calls rtl8180_free_rx_ring() to free the allocations. Remove the free of rx_ring in rtl8180_init_rx_ring() error path, and set the freed priv->rx_buf entry to null, to avoid double free.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3677c01891fb02393…
	https://git.kernel.org/stable/c/89caaeee8dd95fae8…
	https://git.kernel.org/stable/c/a4fb7cca983737887…
	https://git.kernel.org/stable/c/bf8513dfa31ea015c…
	https://git.kernel.org/stable/c/ee7db11742b30641f…
	https://git.kernel.org/stable/c/a813a74570212cb5f…
	https://git.kernel.org/stable/c/c9d1c4152e6d32fa7…
	https://git.kernel.org/stable/c/9b5b9c042b30befc5…

Impacted products

Vendor

Product

Version

Linux

Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < 3677c01891fb0239361e444afee8398868e34bdf (git)
Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < 89caaeee8dd95fae8bb4f4964e6fe3ca688500c4 (git)
Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < a4fb7cca9837378878e6c94d9e7af019c8fdfcdb (git)
Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < bf8513dfa31ea015c9cf415796dca2113d293840 (git)
Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < ee7db11742b30641f21306105ad27a275e3c61d7 (git)
Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < a813a74570212cb5f3a7d3b05c0cb0cd00bace1d (git)
Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < c9d1c4152e6d32fa74034464854bee262a60bc43 (git)
Affected: f653211197f3841f383fa9757ef8ce182c6cf627 , < 9b5b9c042b30befc5b37e4539ace95af70843473 (git)

Linux

Affected: 2.6.25
Unaffected: 0 , < 2.6.25 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3677c01891fb0239361e444afee8398868e34bdf",
              "status": "affected",
              "version": "f653211197f3841f383fa9757ef8ce182c6cf627",
              "versionType": "git"
            },
            {
              "lessThan": "89caaeee8dd95fae8bb4f4964e6fe3ca688500c4",
              "status": "affected",
              "version": "f653211197f3841f383fa9757ef8ce182c6cf627",
              "versionType": "git"
            },
            {
              "lessThan": "a4fb7cca9837378878e6c94d9e7af019c8fdfcdb",
              "status": "affected",
              "version": "f653211197f3841f383fa9757ef8ce182c6cf627",
              "versionType": "git"
            },
            {
              "lessThan": "bf8513dfa31ea015c9cf415796dca2113d293840",
              "status": "affected",
              "version": "f653211197f3841f383fa9757ef8ce182c6cf627",
              "versionType": "git"
            },
            {
              "lessThan": "ee7db11742b30641f21306105ad27a275e3c61d7",
              "status": "affected",
              "version": "f653211197f3841f383fa9757ef8ce182c6cf627",
              "versionType": "git"
            },
            {
              "lessThan": "a813a74570212cb5f3a7d3b05c0cb0cd00bace1d",
              "status": "affected",
              "version": "f653211197f3841f383fa9757ef8ce182c6cf627",
              "versionType": "git"
            },
            {
              "lessThan": "c9d1c4152e6d32fa74034464854bee262a60bc43",
              "status": "affected",
              "version": "f653211197f3841f383fa9757ef8ce182c6cf627",
              "versionType": "git"
            },
            {
              "lessThan": "9b5b9c042b30befc5b37e4539ace95af70843473",
              "status": "affected",
              "version": "f653211197f3841f383fa9757ef8ce182c6cf627",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()\n\nIn rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA\nallocations in a loop. When an allocation fails, the previously\nsuccessful allocations are not freed on exit.\n\nFix that by jumping to err_free_rings label on error, which calls\nrtl8180_free_rx_ring() to free the allocations. Remove the free of\nrx_ring in rtl8180_init_rx_ring() error path, and set the freed\npriv-\u003erx_buf entry to null, to avoid double free."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:46.506Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3677c01891fb0239361e444afee8398868e34bdf"
        },
        {
          "url": "https://git.kernel.org/stable/c/89caaeee8dd95fae8bb4f4964e6fe3ca688500c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4fb7cca9837378878e6c94d9e7af019c8fdfcdb"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf8513dfa31ea015c9cf415796dca2113d293840"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee7db11742b30641f21306105ad27a275e3c61d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/a813a74570212cb5f3a7d3b05c0cb0cd00bace1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9d1c4152e6d32fa74034464854bee262a60bc43"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b5b9c042b30befc5b37e4539ace95af70843473"
        }
      ],
      "title": "wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68759",
    "datePublished": "2026-01-05T09:32:32.174Z",
    "dateReserved": "2025-12-24T10:30:51.033Z",
    "dateUpdated": "2026-01-19T12:18:46.506Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68765 (GCVE-0-2025-68765)

Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-01-19 12:18

Title

mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()

Summary

In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function returns an error without freeing sskb, leading to a memory leak. Fix this by calling dev_kfree_skb() on sskb in the error handling path to ensure it is properly released.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d6c91fc732698642f…
	https://git.kernel.org/stable/c/594ff8bb69e239678…
	https://git.kernel.org/stable/c/1c3c234af9407256e…
	https://git.kernel.org/stable/c/278bfed4529a0c9c9…
	https://git.kernel.org/stable/c/fb905e69941b44e03…
	https://git.kernel.org/stable/c/4d42aba0ee49c0aa0…
	https://git.kernel.org/stable/c/53d1548612670aa8b…

Impacted products

Vendor

Product

Version

Linux

Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < d6c91fc732698642f70c688324c98551b97b412c (git)
Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 594ff8bb69e239678a8baa461827ce4bb90eff8f (git)
Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 1c3c234af9407256ed670c8752923a672eea4225 (git)
Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 278bfed4529a0c9c9119f5a52ddafe69db61a75c (git)
Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < fb905e69941b44e03fe1a24e95328d45442b6d6d (git)
Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49 (git)
Affected: 99c457d902cf90bdc0df5d57e6156ec108711068 , < 53d1548612670aa8b5d89745116cc33d9d172863 (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d6c91fc732698642f70c688324c98551b97b412c",
              "status": "affected",
              "version": "99c457d902cf90bdc0df5d57e6156ec108711068",
              "versionType": "git"
            },
            {
              "lessThan": "594ff8bb69e239678a8baa461827ce4bb90eff8f",
              "status": "affected",
              "version": "99c457d902cf90bdc0df5d57e6156ec108711068",
              "versionType": "git"
            },
            {
              "lessThan": "1c3c234af9407256ed670c8752923a672eea4225",
              "status": "affected",
              "version": "99c457d902cf90bdc0df5d57e6156ec108711068",
              "versionType": "git"
            },
            {
              "lessThan": "278bfed4529a0c9c9119f5a52ddafe69db61a75c",
              "status": "affected",
              "version": "99c457d902cf90bdc0df5d57e6156ec108711068",
              "versionType": "git"
            },
            {
              "lessThan": "fb905e69941b44e03fe1a24e95328d45442b6d6d",
              "status": "affected",
              "version": "99c457d902cf90bdc0df5d57e6156ec108711068",
              "versionType": "git"
            },
            {
              "lessThan": "4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49",
              "status": "affected",
              "version": "99c457d902cf90bdc0df5d57e6156ec108711068",
              "versionType": "git"
            },
            {
              "lessThan": "53d1548612670aa8b5d89745116cc33d9d172863",
              "status": "affected",
              "version": "99c457d902cf90bdc0df5d57e6156ec108711068",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7615/mcu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()\n\nIn mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the\nsubsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function\nreturns an error without freeing sskb, leading to a memory leak.\n\nFix this by calling dev_kfree_skb() on sskb in the error handling path\nto ensure it is properly released."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:48.872Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d6c91fc732698642f70c688324c98551b97b412c"
        },
        {
          "url": "https://git.kernel.org/stable/c/594ff8bb69e239678a8baa461827ce4bb90eff8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c3c234af9407256ed670c8752923a672eea4225"
        },
        {
          "url": "https://git.kernel.org/stable/c/278bfed4529a0c9c9119f5a52ddafe69db61a75c"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb905e69941b44e03fe1a24e95328d45442b6d6d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d42aba0ee49c0aa015c50c4f2a07cf8fa1c3a49"
        },
        {
          "url": "https://git.kernel.org/stable/c/53d1548612670aa8b5d89745116cc33d9d172863"
        }
      ],
      "title": "mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68765",
    "datePublished": "2026-01-05T09:44:13.242Z",
    "dateReserved": "2025-12-24T10:30:51.034Z",
    "dateUpdated": "2026-01-19T12:18:48.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68312 (GCVE-0-2025-68312)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2025-12-16 15:39

Title

usbnet: Prevents free active kevent

Summary

In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the "free active object (kevent)" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/285d4b953f2ca03c3…
	https://git.kernel.org/stable/c/88a38b135d69f5db9…
	https://git.kernel.org/stable/c/43005002b60ef3424…
	https://git.kernel.org/stable/c/3a10619fdefd3051a…
	https://git.kernel.org/stable/c/9a579d6a39513069d…
	https://git.kernel.org/stable/c/2ce1de32e05445d77…
	https://git.kernel.org/stable/c/5158fb8da162e3982…
	https://git.kernel.org/stable/c/420c84c330d1688b8…

Impacted products

Vendor

Product

Version

Linux

Affected: 8b4588b8b00b299be16a35be67b331d8fdba03f3 , < 285d4b953f2ca03c358f986718dd89ee9bde632e (git)
Affected: 135199a2edd459d2b123144efcd7f9bcd95128e4 , < 88a38b135d69f5db9024ff6527232f1b51be8915 (git)
Affected: 635fd8953e4309b54ca6a81bed1d4a87668694f4 , < 43005002b60ef3424719ecda16d124714b45da3b (git)
Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 3a10619fdefd3051aeb14860e4d4335529b4e94d (git)
Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 9a579d6a39513069d298eee70770bbac8a148565 (git)
Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 2ce1de32e05445d77fc056f6ff8339cfb78a5f84 (git)
Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 5158fb8da162e3982940f30cd01ed77bdf42c6fc (git)
Affected: a69e617e533edddf3fa3123149900f36e0a6dc74 , < 420c84c330d1688b8c764479e5738bbdbf0a33de (git)
Affected: d2d6b530d89b0a912148018027386aa049f0a309 (git)
Affected: e2a521a7dcc463c5017b4426ca0804e151faeff7 (git)
Affected: 7f77dcbc030c2faa6d8e8a594985eeb34018409e (git)
Affected: d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f (git)
Affected: db3b738ae5f726204876f4303c49cfdf4311403f (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/usbnet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "285d4b953f2ca03c358f986718dd89ee9bde632e",
              "status": "affected",
              "version": "8b4588b8b00b299be16a35be67b331d8fdba03f3",
              "versionType": "git"
            },
            {
              "lessThan": "88a38b135d69f5db9024ff6527232f1b51be8915",
              "status": "affected",
              "version": "135199a2edd459d2b123144efcd7f9bcd95128e4",
              "versionType": "git"
            },
            {
              "lessThan": "43005002b60ef3424719ecda16d124714b45da3b",
              "status": "affected",
              "version": "635fd8953e4309b54ca6a81bed1d4a87668694f4",
              "versionType": "git"
            },
            {
              "lessThan": "3a10619fdefd3051aeb14860e4d4335529b4e94d",
              "status": "affected",
              "version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
              "versionType": "git"
            },
            {
              "lessThan": "9a579d6a39513069d298eee70770bbac8a148565",
              "status": "affected",
              "version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
              "versionType": "git"
            },
            {
              "lessThan": "2ce1de32e05445d77fc056f6ff8339cfb78a5f84",
              "status": "affected",
              "version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
              "versionType": "git"
            },
            {
              "lessThan": "5158fb8da162e3982940f30cd01ed77bdf42c6fc",
              "status": "affected",
              "version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
              "versionType": "git"
            },
            {
              "lessThan": "420c84c330d1688b8c764479e5738bbdbf0a33de",
              "status": "affected",
              "version": "a69e617e533edddf3fa3123149900f36e0a6dc74",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d2d6b530d89b0a912148018027386aa049f0a309",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e2a521a7dcc463c5017b4426ca0804e151faeff7",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7f77dcbc030c2faa6d8e8a594985eeb34018409e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d49bb8cf9bfaa06aa527eb30f1a52a071da2e32f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "db3b738ae5f726204876f4303c49cfdf4311403f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/usbnet.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "5.4.211",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.10.137",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.15.61",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.326",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.291",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.256",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.18.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.19.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Prevents free active kevent\n\nThe root cause of this issue are:\n1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0);\nput the kevent work in global workqueue. However, the kevent has not yet\nbeen scheduled when the usbnet device is unregistered. Therefore, executing\nfree_netdev() results in the \"free active object (kevent)\" error reported\nhere.\n\n2. Another factor is that when calling usbnet_disconnect()-\u003eunregister_netdev(),\nif the usbnet device is up, ndo_stop() is executed to cancel the kevent.\nHowever, because the device is not up, ndo_stop() is not executed.\n\nThe solution to this problem is to cancel the kevent before executing\nfree_netdev()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:39:43.174Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/285d4b953f2ca03c358f986718dd89ee9bde632e"
        },
        {
          "url": "https://git.kernel.org/stable/c/88a38b135d69f5db9024ff6527232f1b51be8915"
        },
        {
          "url": "https://git.kernel.org/stable/c/43005002b60ef3424719ecda16d124714b45da3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a10619fdefd3051aeb14860e4d4335529b4e94d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a579d6a39513069d298eee70770bbac8a148565"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ce1de32e05445d77fc056f6ff8339cfb78a5f84"
        },
        {
          "url": "https://git.kernel.org/stable/c/5158fb8da162e3982940f30cd01ed77bdf42c6fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/420c84c330d1688b8c764479e5738bbdbf0a33de"
        }
      ],
      "title": "usbnet: Prevents free active kevent",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68312",
    "datePublished": "2025-12-16T15:39:43.174Z",
    "dateReserved": "2025-12-16T14:48:05.294Z",
    "dateUpdated": "2025-12-16T15:39:43.174Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-53215 (GCVE-0-2023-53215)

Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2026-01-14 17:52

Title

sched/fair: Don't balance task to its current running CPU

Summary

In the Linux kernel, the following vulnerability has been resolved: sched/fair: Don't balance task to its current running CPU We've run into the case that the balancer tries to balance a migration disabled task and trigger the warning in set_task_cpu() like below: ------------[ cut here ]------------ WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240 Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 <...snip> CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G O 6.1.0-rc4+ #1 Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021 pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : set_task_cpu+0x188/0x240 lr : load_balance+0x5d0/0xc60 sp : ffff80000803bc70 x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040 x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001 x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78 x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000 x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000 x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530 x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001 Call trace: set_task_cpu+0x188/0x240 load_balance+0x5d0/0xc60 rebalance_domains+0x26c/0x380 _nohz_idle_balance.isra.0+0x1e0/0x370 run_rebalance_domains+0x6c/0x80 __do_softirq+0x128/0x3d8 ____do_softirq+0x18/0x24 call_on_irq_stack+0x2c/0x38 do_softirq_own_stack+0x24/0x3c __irq_exit_rcu+0xcc/0xf4 irq_exit_rcu+0x18/0x24 el1_interrupt+0x4c/0xe4 el1h_64_irq_handler+0x18/0x2c el1h_64_irq+0x74/0x78 arch_cpu_idle+0x18/0x4c default_idle_call+0x58/0x194 do_idle+0x244/0x2b0 cpu_startup_entry+0x30/0x3c secondary_start_kernel+0x14c/0x190 __secondary_switched+0xb0/0xb4 ---[ end trace 0000000000000000 ]--- Further investigation shows that the warning is superfluous, the migration disabled task is just going to be migrated to its current running CPU. This is because that on load balance if the dst_cpu is not allowed by the task, we'll re-select a new_dst_cpu as a candidate. If no task can be balanced to dst_cpu we'll try to balance the task to the new_dst_cpu instead. In this case when the migration disabled task is not on CPU it only allows to run on its current CPU, load balance will select its current CPU as new_dst_cpu and later triggers the warning above. The new_dst_cpu is chosen from the env->dst_grpmask. Currently it contains CPUs in sched_group_span() and if we have overlapped groups it's possible to run into this case. This patch makes env->dst_grpmask of group_balance_mask() which exclude any CPUs from the busiest group and solve the issue. For balancing in a domain with no overlapped groups the behaviour keeps same as before.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/32d937f94b7805d4c…
	https://git.kernel.org/stable/c/a5286f4655ce2fa28…
	https://git.kernel.org/stable/c/cec1857b1ea5cc3ea…
	https://git.kernel.org/stable/c/6b0c79aa33075b34c…
	https://git.kernel.org/stable/c/3cb43222bab8ab328…
	https://git.kernel.org/stable/c/78a5f711efceb37e3…
	https://git.kernel.org/stable/c/34eb902050d473bb2…
	https://git.kernel.org/stable/c/0dd37d6dd33a9c233…

Impacted products

Vendor

Product

Version

Linux

Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 32d937f94b7805d4c9028b8727a7d6241547da54 (git)
Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < a5286f4655ce2fa28f477c0b957ea7f323fe2fab (git)
Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < cec1857b1ea5cc3ea2b600564f1c95d1a6f27ad1 (git)
Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 6b0c79aa33075b34c3cdcea4132c0afb3fc42d68 (git)
Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 3cb43222bab8ab328fc91ed30899b3df2efbccfd (git)
Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 78a5f711efceb37e32c48cd6b40addb671fea9cc (git)
Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 34eb902050d473bb2befa15714fb1d30a0991c15 (git)
Affected: 88b8dac0a14c511ff41486b83a8c3d688936eec0 , < 0dd37d6dd33a9c23351e6115ae8cdac7863bc7de (git)

Linux

Affected: 3.6
Unaffected: 0 , < 3.6 (semver)
Unaffected: 4.14.322 , ≤ 4.14.* (semver)
Unaffected: 4.19.291 , ≤ 4.19.* (semver)
Unaffected: 5.4.251 , ≤ 5.4.* (semver)
Unaffected: 5.10.188 , ≤ 5.10.* (semver)
Unaffected: 5.15.150 , ≤ 5.15.* (semver)
Unaffected: 6.1.42 , ≤ 6.1.* (semver)
Unaffected: 6.4.7 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-53215",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T17:49:11.026903Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-14T17:52:57.570Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/fair.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "32d937f94b7805d4c9028b8727a7d6241547da54",
              "status": "affected",
              "version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
              "versionType": "git"
            },
            {
              "lessThan": "a5286f4655ce2fa28f477c0b957ea7f323fe2fab",
              "status": "affected",
              "version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
              "versionType": "git"
            },
            {
              "lessThan": "cec1857b1ea5cc3ea2b600564f1c95d1a6f27ad1",
              "status": "affected",
              "version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
              "versionType": "git"
            },
            {
              "lessThan": "6b0c79aa33075b34c3cdcea4132c0afb3fc42d68",
              "status": "affected",
              "version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
              "versionType": "git"
            },
            {
              "lessThan": "3cb43222bab8ab328fc91ed30899b3df2efbccfd",
              "status": "affected",
              "version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
              "versionType": "git"
            },
            {
              "lessThan": "78a5f711efceb37e32c48cd6b40addb671fea9cc",
              "status": "affected",
              "version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
              "versionType": "git"
            },
            {
              "lessThan": "34eb902050d473bb2befa15714fb1d30a0991c15",
              "status": "affected",
              "version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
              "versionType": "git"
            },
            {
              "lessThan": "0dd37d6dd33a9c23351e6115ae8cdac7863bc7de",
              "status": "affected",
              "version": "88b8dac0a14c511ff41486b83a8c3d688936eec0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/fair.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.6"
            },
            {
              "lessThan": "3.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.322",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.251",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.188",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.322",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.291",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.251",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.188",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.150",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.42",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.7",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "3.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Don\u0027t balance task to its current running CPU\n\nWe\u0027ve run into the case that the balancer tries to balance a migration\ndisabled task and trigger the warning in set_task_cpu() like below:\n\n ------------[ cut here ]------------\n WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_task_cpu+0x188/0x240\n Modules linked in: hclgevf xt_CHECKSUM ipt_REJECT nf_reject_ipv4 \u003c...snip\u003e\n CPU: 7 PID: 0 Comm: swapper/7 Kdump: loaded Tainted: G           O       6.1.0-rc4+ #1\n Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V5.B221.01 12/09/2021\n pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : set_task_cpu+0x188/0x240\n lr : load_balance+0x5d0/0xc60\n sp : ffff80000803bc70\n x29: ffff80000803bc70 x28: ffff004089e190e8 x27: ffff004089e19040\n x26: ffff007effcabc38 x25: 0000000000000000 x24: 0000000000000001\n x23: ffff80000803be84 x22: 000000000000000c x21: ffffb093e79e2a78\n x20: 000000000000000c x19: ffff004089e19040 x18: 0000000000000000\n x17: 0000000000001fad x16: 0000000000000030 x15: 0000000000000000\n x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000001 x10: 0000000000000400 x9 : ffffb093e4cee530\n x8 : 00000000fffffffe x7 : 0000000000ce168a x6 : 000000000000013e\n x5 : 00000000ffffffe1 x4 : 0000000000000001 x3 : 0000000000000b2a\n x2 : 0000000000000b2a x1 : ffffb093e6d6c510 x0 : 0000000000000001\n Call trace:\n  set_task_cpu+0x188/0x240\n  load_balance+0x5d0/0xc60\n  rebalance_domains+0x26c/0x380\n  _nohz_idle_balance.isra.0+0x1e0/0x370\n  run_rebalance_domains+0x6c/0x80\n  __do_softirq+0x128/0x3d8\n  ____do_softirq+0x18/0x24\n  call_on_irq_stack+0x2c/0x38\n  do_softirq_own_stack+0x24/0x3c\n  __irq_exit_rcu+0xcc/0xf4\n  irq_exit_rcu+0x18/0x24\n  el1_interrupt+0x4c/0xe4\n  el1h_64_irq_handler+0x18/0x2c\n  el1h_64_irq+0x74/0x78\n  arch_cpu_idle+0x18/0x4c\n  default_idle_call+0x58/0x194\n  do_idle+0x244/0x2b0\n  cpu_startup_entry+0x30/0x3c\n  secondary_start_kernel+0x14c/0x190\n  __secondary_switched+0xb0/0xb4\n ---[ end trace 0000000000000000 ]---\n\nFurther investigation shows that the warning is superfluous, the migration\ndisabled task is just going to be migrated to its current running CPU.\nThis is because that on load balance if the dst_cpu is not allowed by the\ntask, we\u0027ll re-select a new_dst_cpu as a candidate. If no task can be\nbalanced to dst_cpu we\u0027ll try to balance the task to the new_dst_cpu\ninstead. In this case when the migration disabled task is not on CPU it\nonly allows to run on its current CPU, load balance will select its\ncurrent CPU as new_dst_cpu and later triggers the warning above.\n\nThe new_dst_cpu is chosen from the env-\u003edst_grpmask. Currently it\ncontains CPUs in sched_group_span() and if we have overlapped groups it\u0027s\npossible to run into this case. This patch makes env-\u003edst_grpmask of\ngroup_balance_mask() which exclude any CPUs from the busiest group and\nsolve the issue. For balancing in a domain with no overlapped groups\nthe behaviour keeps same as before."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:18:44.612Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/32d937f94b7805d4c9028b8727a7d6241547da54"
        },
        {
          "url": "https://git.kernel.org/stable/c/a5286f4655ce2fa28f477c0b957ea7f323fe2fab"
        },
        {
          "url": "https://git.kernel.org/stable/c/cec1857b1ea5cc3ea2b600564f1c95d1a6f27ad1"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b0c79aa33075b34c3cdcea4132c0afb3fc42d68"
        },
        {
          "url": "https://git.kernel.org/stable/c/3cb43222bab8ab328fc91ed30899b3df2efbccfd"
        },
        {
          "url": "https://git.kernel.org/stable/c/78a5f711efceb37e32c48cd6b40addb671fea9cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/34eb902050d473bb2befa15714fb1d30a0991c15"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dd37d6dd33a9c23351e6115ae8cdac7863bc7de"
        }
      ],
      "title": "sched/fair: Don\u0027t balance task to its current running CPU",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53215",
    "datePublished": "2025-09-15T14:21:43.107Z",
    "dateReserved": "2025-09-15T14:19:21.845Z",
    "dateUpdated": "2026-01-14T17:52:57.570Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50644 (GCVE-0-2022-50644)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00

Title

clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe

Summary

In the Linux kernel, the following vulnerability has been resolved: clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe pm_runtime_get_sync() will increment pm usage counter. Forgetting to putting operation will result in reference leak. Add missing pm_runtime_put_sync in some error paths.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/27abe45df1dc394c1…
	https://git.kernel.org/stable/c/d84f77ef7d57658d7…
	https://git.kernel.org/stable/c/25fe7b0d596b343e7…
	https://git.kernel.org/stable/c/fc39ebf85d0349366…
	https://git.kernel.org/stable/c/6d01017247eee3fba…
	https://git.kernel.org/stable/c/3441076f83aace85f…
	https://git.kernel.org/stable/c/a9f69663ad571cbd7…
	https://git.kernel.org/stable/c/c01ae99a4e3a0cdf7…
	https://git.kernel.org/stable/c/9c59a01caba26ec06…

Impacted products

Vendor

Product

Version

Linux

Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 27abe45df1dc394c184688d816cbbf2f194d4c6a (git)
Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < d84f77ef7d57658d7346f8c4797a570aa5e35fa6 (git)
Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 25fe7b0d596b343e7a5504ba11767115fff8494f (git)
Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < fc39ebf85d0349366b807fe2be848041c8523f03 (git)
Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 6d01017247eee3fba399f601b0bcb38e4fb88a72 (git)
Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 3441076f83aace85f5d6ccd9ffb301ac6b874776 (git)
Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < a9f69663ad571cbd7814dde38e3fcb4876341ed6 (git)
Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < c01ae99a4e3a0cdf70f7cd758a60a2243eac562c (git)
Affected: 9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd , < 9c59a01caba26ec06fefd6ca1f22d5fd1de57d63 (git)

Linux

Affected: 3.16
Unaffected: 0 , < 3.16 (semver)
Unaffected: 4.9.331 , ≤ 4.9.* (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/ti/clk-dra7-atl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "27abe45df1dc394c184688d816cbbf2f194d4c6a",
              "status": "affected",
              "version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
              "versionType": "git"
            },
            {
              "lessThan": "d84f77ef7d57658d7346f8c4797a570aa5e35fa6",
              "status": "affected",
              "version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
              "versionType": "git"
            },
            {
              "lessThan": "25fe7b0d596b343e7a5504ba11767115fff8494f",
              "status": "affected",
              "version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
              "versionType": "git"
            },
            {
              "lessThan": "fc39ebf85d0349366b807fe2be848041c8523f03",
              "status": "affected",
              "version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
              "versionType": "git"
            },
            {
              "lessThan": "6d01017247eee3fba399f601b0bcb38e4fb88a72",
              "status": "affected",
              "version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
              "versionType": "git"
            },
            {
              "lessThan": "3441076f83aace85f5d6ccd9ffb301ac6b874776",
              "status": "affected",
              "version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
              "versionType": "git"
            },
            {
              "lessThan": "a9f69663ad571cbd7814dde38e3fcb4876341ed6",
              "status": "affected",
              "version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
              "versionType": "git"
            },
            {
              "lessThan": "c01ae99a4e3a0cdf70f7cd758a60a2243eac562c",
              "status": "affected",
              "version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
              "versionType": "git"
            },
            {
              "lessThan": "9c59a01caba26ec06fefd6ca1f22d5fd1de57d63",
              "status": "affected",
              "version": "9ac33b0ce81fa48dd39e7ddfc1bf4519052181dd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/ti/clk-dra7-atl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.331",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.331",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe\n\npm_runtime_get_sync() will increment pm usage counter.\nForgetting to putting operation will result in reference leak.\nAdd missing pm_runtime_put_sync in some error paths."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T00:00:18.729Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/27abe45df1dc394c184688d816cbbf2f194d4c6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d84f77ef7d57658d7346f8c4797a570aa5e35fa6"
        },
        {
          "url": "https://git.kernel.org/stable/c/25fe7b0d596b343e7a5504ba11767115fff8494f"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc39ebf85d0349366b807fe2be848041c8523f03"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d01017247eee3fba399f601b0bcb38e4fb88a72"
        },
        {
          "url": "https://git.kernel.org/stable/c/3441076f83aace85f5d6ccd9ffb301ac6b874776"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9f69663ad571cbd7814dde38e3fcb4876341ed6"
        },
        {
          "url": "https://git.kernel.org/stable/c/c01ae99a4e3a0cdf70f7cd758a60a2243eac562c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c59a01caba26ec06fefd6ca1f22d5fd1de57d63"
        }
      ],
      "title": "clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50644",
    "datePublished": "2025-12-09T00:00:18.729Z",
    "dateReserved": "2025-12-08T23:57:43.371Z",
    "dateUpdated": "2025-12-09T00:00:18.729Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40292 (GCVE-0-2025-40292)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

virtio-net: fix received length check in big packets

Summary

In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/82f9028e83944a9ee…
	https://git.kernel.org/stable/c/946dec89c41726b94…
	https://git.kernel.org/stable/c/82fe78065450d2d07…
	https://git.kernel.org/stable/c/3e9d89f2ecd3636bd…
	https://git.kernel.org/stable/c/0c716703965ffc5ef…

Impacted products

Vendor

Product

Version

Linux

Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 82f9028e83944a9eee5229cbc6fee9be1de8a62d (git)
Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 946dec89c41726b94d31147ec528b96af0be1b5a (git)
Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 82fe78065450d2d07f36a22e2b6b44955cf5ca5b (git)
Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2 (git)
Affected: 4959aebba8c06992abafa09d1e80965e0825af54 , < 0c716703965ffc5ef4311b65cb5d84a703784717 (git)

Linux

Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/virtio_net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "82f9028e83944a9eee5229cbc6fee9be1de8a62d",
              "status": "affected",
              "version": "4959aebba8c06992abafa09d1e80965e0825af54",
              "versionType": "git"
            },
            {
              "lessThan": "946dec89c41726b94d31147ec528b96af0be1b5a",
              "status": "affected",
              "version": "4959aebba8c06992abafa09d1e80965e0825af54",
              "versionType": "git"
            },
            {
              "lessThan": "82fe78065450d2d07f36a22e2b6b44955cf5ca5b",
              "status": "affected",
              "version": "4959aebba8c06992abafa09d1e80965e0825af54",
              "versionType": "git"
            },
            {
              "lessThan": "3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2",
              "status": "affected",
              "version": "4959aebba8c06992abafa09d1e80965e0825af54",
              "versionType": "git"
            },
            {
              "lessThan": "0c716703965ffc5ef4311b65cb5d84a703784717",
              "status": "affected",
              "version": "4959aebba8c06992abafa09d1e80965e0825af54",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/virtio_net.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix received length check in big packets\n\nSince commit 4959aebba8c0 (\"virtio-net: use mtu size as buffer length\nfor big packets\"), when guest gso is off, the allocated size for big\npackets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on\nnegotiated MTU. The number of allocated frags for big packets is stored\nin vi-\u003ebig_packets_num_skbfrags.\n\nBecause the host announced buffer length can be malicious (e.g. the host\nvhost_net driver\u0027s get_rx_bufs is modified to announce incorrect\nlength), we need a check in virtio_net receive path. Currently, the\ncheck is not adapted to the new change which can lead to NULL page\npointer dereference in the below while loop when receiving length that\nis larger than the allocated one.\n\nThis commit fixes the received length check corresponding to the new\nchange."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:15.761Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/82f9028e83944a9eee5229cbc6fee9be1de8a62d"
        },
        {
          "url": "https://git.kernel.org/stable/c/946dec89c41726b94d31147ec528b96af0be1b5a"
        },
        {
          "url": "https://git.kernel.org/stable/c/82fe78065450d2d07f36a22e2b6b44955cf5ca5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e9d89f2ecd3636bd4cbdfd0b2dfdaf58f9882e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c716703965ffc5ef4311b65cb5d84a703784717"
        }
      ],
      "title": "virtio-net: fix received length check in big packets",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40292",
    "datePublished": "2025-12-08T00:46:15.761Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2025-12-08T00:46:15.761Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40324 (GCVE-0-2025-40324)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

NFSD: Fix crash in nfsd4_read_release()

Summary

In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/930cb4fe3ab4061be…
	https://git.kernel.org/stable/c/375fdd8993cecc48a…
	https://git.kernel.org/stable/c/2ac46606b2cc49e78…
	https://git.kernel.org/stable/c/03524ccff698d4a77…
	https://git.kernel.org/stable/c/a4948875ed0599c03…
	https://git.kernel.org/stable/c/8f244b773c63fa480…
	https://git.kernel.org/stable/c/abb1f08a2121dd270…

Impacted products

Vendor

Product

Version

Linux

Affected: 65a33135e91e6dd661ecdf1194b9d90c49ae3570 , < 930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1 (git)
Affected: b11d8162c24af4a351d21e2c804d25ca493305e3 , < 375fdd8993cecc48afa359728a6e70b280dde1c8 (git)
Affected: b623a8e5d38a69a3ef8644acb1030dd7c7bc28b3 , < 2ac46606b2cc49e78d8e3d8f2685e79e9ba73020 (git)
Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < 03524ccff698d4a77d096ed529073d91f5edee5d (git)
Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < a4948875ed0599c037dc438c11891c9012721b1d (git)
Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < 8f244b773c63fa480c9a3bd1ae04f5272f285e89 (git)
Affected: 15a8b55dbb1ba154d82627547c5761cac884d810 , < abb1f08a2121dd270193746e43b2a9373db9ad84 (git)
Affected: 3d0dcada384af22dec764c8374a2997870ec86ae (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4proc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1",
              "status": "affected",
              "version": "65a33135e91e6dd661ecdf1194b9d90c49ae3570",
              "versionType": "git"
            },
            {
              "lessThan": "375fdd8993cecc48afa359728a6e70b280dde1c8",
              "status": "affected",
              "version": "b11d8162c24af4a351d21e2c804d25ca493305e3",
              "versionType": "git"
            },
            {
              "lessThan": "2ac46606b2cc49e78d8e3d8f2685e79e9ba73020",
              "status": "affected",
              "version": "b623a8e5d38a69a3ef8644acb1030dd7c7bc28b3",
              "versionType": "git"
            },
            {
              "lessThan": "03524ccff698d4a77d096ed529073d91f5edee5d",
              "status": "affected",
              "version": "15a8b55dbb1ba154d82627547c5761cac884d810",
              "versionType": "git"
            },
            {
              "lessThan": "a4948875ed0599c037dc438c11891c9012721b1d",
              "status": "affected",
              "version": "15a8b55dbb1ba154d82627547c5761cac884d810",
              "versionType": "git"
            },
            {
              "lessThan": "8f244b773c63fa480c9a3bd1ae04f5272f285e89",
              "status": "affected",
              "version": "15a8b55dbb1ba154d82627547c5761cac884d810",
              "versionType": "git"
            },
            {
              "lessThan": "abb1f08a2121dd270193746e43b2a9373db9ad84",
              "status": "affected",
              "version": "15a8b55dbb1ba154d82627547c5761cac884d810",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3d0dcada384af22dec764c8374a2997870ec86ae",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4proc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.10.220",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.15.154",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.2.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix crash in nfsd4_read_release()\n\nWhen tracing is enabled, the trace_nfsd_read_done trace point\ncrashes during the pynfs read.testNoFh test."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:51.912Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/930cb4fe3ab4061be31f20ee30bb72a66f7bb6d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/375fdd8993cecc48afa359728a6e70b280dde1c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ac46606b2cc49e78d8e3d8f2685e79e9ba73020"
        },
        {
          "url": "https://git.kernel.org/stable/c/03524ccff698d4a77d096ed529073d91f5edee5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4948875ed0599c037dc438c11891c9012721b1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f244b773c63fa480c9a3bd1ae04f5272f285e89"
        },
        {
          "url": "https://git.kernel.org/stable/c/abb1f08a2121dd270193746e43b2a9373db9ad84"
        }
      ],
      "title": "NFSD: Fix crash in nfsd4_read_release()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40324",
    "datePublished": "2025-12-08T00:46:51.912Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2025-12-08T00:46:51.912Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57996 (GCVE-0-2024-57996)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-11-03 19:33

Title

net_sched: sch_sfq: don't allow 1 packet limit

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: don't allow 1 packet limit The current implementation does not work correctly with a limit of 1. iproute2 actually checks for this and this patch adds the check in kernel as well. This fixes the following syzkaller reported crash: UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x125/0x19f lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:148 [inline] __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347 sfq_link net/sched/sch_sfq.c:210 [inline] sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238 sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500 sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319 qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026 dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296 netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline] dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362 __dev_close_many+0x214/0x350 net/core/dev.c:1468 dev_close_many+0x207/0x510 net/core/dev.c:1506 unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738 unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695 unregister_netdevice include/linux/netdevice.h:2893 [inline] __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689 tun_detach drivers/net/tun.c:705 [inline] tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640 __fput+0x203/0x840 fs/file_table.c:280 task_work_run+0x129/0x1b0 kernel/task_work.c:185 exit_task_work include/linux/task_work.h:33 [inline] do_exit+0x5ce/0x2200 kernel/exit.c:931 do_group_exit+0x144/0x310 kernel/exit.c:1046 __do_sys_exit_group kernel/exit.c:1057 [inline] __se_sys_exit_group kernel/exit.c:1055 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055 do_syscall_64+0x6c/0xd0 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fe5e7b52479 Code: Unable to access opcode bytes at RIP 0x7fe5e7b5244f. RSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 RBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0 R13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270 The crash can be also be reproduced with the following (with a tc recompiled to allow for sfq limits of 1): tc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s ../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1 ifconfig dummy0 up ping -I dummy0 -f -c2 -W0.1 8.8.8.8 sleep 1 Scenario that triggers the crash: * the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1 * TBF dequeues: it peeks from SFQ which moves the packet to the gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so it schedules itself for later. * the second packet is sent and TBF tries to queues it to SFQ. qdisc qlen is now 2 and because the SFQ limit is 1 the packet is dropped by SFQ. At this point qlen is 1, and all of the SFQ slots are empty, however q->tail is not NULL. At this point, assuming no more packets are queued, when sch_dequeue runs again it will decrement the qlen for the current empty slot causing an underflow and the subsequent out of bounds access.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e12f6013d0a69660e…
	https://git.kernel.org/stable/c/1e6d9d87626cf89ee…
	https://git.kernel.org/stable/c/1b562b7f9231432da…
	https://git.kernel.org/stable/c/35d0137305ae2f972…
	https://git.kernel.org/stable/c/833e9a1c27b82024d…
	https://git.kernel.org/stable/c/7d8947f2153ee9c5a…
	https://git.kernel.org/stable/c/7fefc294204f10a34…
	https://git.kernel.org/stable/c/10685681bafce6feb…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e12f6013d0a69660e8b99bfe381b9546ae667328 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1e6d9d87626cf89eeffb4d943db12cb5b10bf961 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1b562b7f9231432da40d12e19786c1bd7df653a7 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 35d0137305ae2f97260a9047f445bd4434bd6cc7 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 833e9a1c27b82024db7ff5038a51651f48f05e5e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7fefc294204f10a3405f175f4ac2be16d63f135e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 10685681bafce6febb39770f3387621bf5d67d0b (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.239 , ≤ 5.10.* (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:33:07.578Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e12f6013d0a69660e8b99bfe381b9546ae667328",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1e6d9d87626cf89eeffb4d943db12cb5b10bf961",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1b562b7f9231432da40d12e19786c1bd7df653a7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "35d0137305ae2f97260a9047f445bd4434bd6cc7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "833e9a1c27b82024db7ff5038a51651f48f05e5e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7fefc294204f10a3405f175f4ac2be16d63f135e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "10685681bafce6febb39770f3387621bf5d67d0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_sfq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.239",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.239",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: don\u0027t allow 1 packet limit\n\nThe current implementation does not work correctly with a limit of\n1. iproute2 actually checks for this and this patch adds the check in\nkernel as well.\n\nThis fixes the following syzkaller reported crash:\n\nUBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:210:6\nindex 65535 is out of range for type \u0027struct sfq_head[128]\u0027\nCPU: 0 PID: 2569 Comm: syz-executor101 Not tainted 5.10.0-smp-DEV #1\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nCall Trace:\n  __dump_stack lib/dump_stack.c:79 [inline]\n  dump_stack+0x125/0x19f lib/dump_stack.c:120\n  ubsan_epilogue lib/ubsan.c:148 [inline]\n  __ubsan_handle_out_of_bounds+0xed/0x120 lib/ubsan.c:347\n  sfq_link net/sched/sch_sfq.c:210 [inline]\n  sfq_dec+0x528/0x600 net/sched/sch_sfq.c:238\n  sfq_dequeue+0x39b/0x9d0 net/sched/sch_sfq.c:500\n  sfq_reset+0x13/0x50 net/sched/sch_sfq.c:525\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  tbf_reset+0x3d/0x100 net/sched/sch_tbf.c:319\n  qdisc_reset+0xfe/0x510 net/sched/sch_generic.c:1026\n  dev_reset_queue+0x8c/0x140 net/sched/sch_generic.c:1296\n  netdev_for_each_tx_queue include/linux/netdevice.h:2350 [inline]\n  dev_deactivate_many+0x6dc/0xc20 net/sched/sch_generic.c:1362\n  __dev_close_many+0x214/0x350 net/core/dev.c:1468\n  dev_close_many+0x207/0x510 net/core/dev.c:1506\n  unregister_netdevice_many+0x40f/0x16b0 net/core/dev.c:10738\n  unregister_netdevice_queue+0x2be/0x310 net/core/dev.c:10695\n  unregister_netdevice include/linux/netdevice.h:2893 [inline]\n  __tun_detach+0x6b6/0x1600 drivers/net/tun.c:689\n  tun_detach drivers/net/tun.c:705 [inline]\n  tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3640\n  __fput+0x203/0x840 fs/file_table.c:280\n  task_work_run+0x129/0x1b0 kernel/task_work.c:185\n  exit_task_work include/linux/task_work.h:33 [inline]\n  do_exit+0x5ce/0x2200 kernel/exit.c:931\n  do_group_exit+0x144/0x310 kernel/exit.c:1046\n  __do_sys_exit_group kernel/exit.c:1057 [inline]\n  __se_sys_exit_group kernel/exit.c:1055 [inline]\n  __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1055\n do_syscall_64+0x6c/0xd0\n entry_SYSCALL_64_after_hwframe+0x61/0xcb\nRIP: 0033:0x7fe5e7b52479\nCode: Unable to access opcode bytes at RIP 0x7fe5e7b5244f.\nRSP: 002b:00007ffd3c800398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5e7b52479\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007fe5e7bcd2d0 R08: ffffffffffffffb8 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fe5e7bcd2d0\nR13: 0000000000000000 R14: 00007fe5e7bcdd20 R15: 00007fe5e7b24270\n\nThe crash can be also be reproduced with the following (with a tc\nrecompiled to allow for sfq limits of 1):\n\ntc qdisc add dev dummy0 handle 1: root tbf rate 1Kbit burst 100b lat 1s\n../iproute2-6.9.0/tc/tc qdisc add dev dummy0 handle 2: parent 1:10 sfq limit 1\nifconfig dummy0 up\nping -I dummy0 -f -c2 -W0.1 8.8.8.8\nsleep 1\n\nScenario that triggers the crash:\n\n* the first packet is sent and queued in TBF and SFQ; qdisc qlen is 1\n\n* TBF dequeues: it peeks from SFQ which moves the packet to the\n  gso_skb list and keeps qdisc qlen set to 1. TBF is out of tokens so\n  it schedules itself for later.\n\n* the second packet is sent and TBF tries to queues it to SFQ. qdisc\n  qlen is now 2 and because the SFQ limit is 1 the packet is dropped\n  by SFQ. At this point qlen is 1, and all of the SFQ slots are empty,\n  however q-\u003etail is not NULL.\n\nAt this point, assuming no more packets are queued, when sch_dequeue\nruns again it will decrement the qlen for the current empty slot\ncausing an underflow and the subsequent out of bounds access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:42:44.697Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e12f6013d0a69660e8b99bfe381b9546ae667328"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e6d9d87626cf89eeffb4d943db12cb5b10bf961"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b562b7f9231432da40d12e19786c1bd7df653a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/35d0137305ae2f97260a9047f445bd4434bd6cc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/833e9a1c27b82024db7ff5038a51651f48f05e5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fefc294204f10a3405f175f4ac2be16d63f135e"
        },
        {
          "url": "https://git.kernel.org/stable/c/10685681bafce6febb39770f3387621bf5d67d0b"
        }
      ],
      "title": "net_sched: sch_sfq: don\u0027t allow 1 packet limit",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57996",
    "datePublished": "2025-02-27T02:07:16.765Z",
    "dateReserved": "2025-02-27T02:04:28.914Z",
    "dateUpdated": "2025-11-03T19:33:07.578Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40160 (GCVE-0-2025-40160)

Vulnerability from cvelistv5 – Published: 2025-11-12 10:24 – Updated: 2026-01-02 15:33

Title

xen/events: Return -EEXIST for bound VIRQs

Summary

In the Linux kernel, the following vulnerability has been resolved: xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUG_ON() from bind_virq_to_irq() to propogate the error upwards. Some VIRQs are per-cpu, but others are per-domain or global. Those must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global will probably fail when migrated off CPU 0, especially when the current CPU is tracked. This now returns -EEXIST instead of BUG_ON(). A second call to bind a per-domain or global VIRQ is not expected, but make it non-fatal to avoid trying to look up the irq, since we don't know which per_cpu(virq_to_irq) it will be in.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/612ef6056855c0aac…
	https://git.kernel.org/stable/c/a1e7f07ae6b594f1b…
	https://git.kernel.org/stable/c/f81db055a793eca9d…
	https://git.kernel.org/stable/c/07ce121d93a5e5fb2…

Impacted products

Vendor

Product

Version

Linux

Affected: 62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < 612ef6056855c0aacb9b25d1d853c435754483f7 (git)
Affected: 62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < a1e7f07ae6b594f1ba5be46c6125b43bc505c5aa (git)
Affected: 62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < f81db055a793eca9d05f79658ff62adafb41d664 (git)
Affected: 62cc5fc7b2e0218144e162afb8191db9b924b5e6 , < 07ce121d93a5e5fb2440a24da3dbf408fcee978e (git)

Linux

Affected: 3.2
Unaffected: 0 , < 3.2 (semver)
Unaffected: 6.6.113 , ≤ 6.6.* (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/xen/events/events_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "612ef6056855c0aacb9b25d1d853c435754483f7",
              "status": "affected",
              "version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
              "versionType": "git"
            },
            {
              "lessThan": "a1e7f07ae6b594f1ba5be46c6125b43bc505c5aa",
              "status": "affected",
              "version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
              "versionType": "git"
            },
            {
              "lessThan": "f81db055a793eca9d05f79658ff62adafb41d664",
              "status": "affected",
              "version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
              "versionType": "git"
            },
            {
              "lessThan": "07ce121d93a5e5fb2440a24da3dbf408fcee978e",
              "status": "affected",
              "version": "62cc5fc7b2e0218144e162afb8191db9b924b5e6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/xen/events/events_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: Return -EEXIST for bound VIRQs\n\nChange find_virq() to return -EEXIST when a VIRQ is bound to a\ndifferent CPU than the one passed in.  With that, remove the BUG_ON()\nfrom bind_virq_to_irq() to propogate the error upwards.\n\nSome VIRQs are per-cpu, but others are per-domain or global.  Those must\nbe bound to CPU0 and can then migrate elsewhere.  The lookup for\nper-domain and global will probably fail when migrated off CPU 0,\nespecially when the current CPU is tracked.  This now returns -EEXIST\ninstead of BUG_ON().\n\nA second call to bind a per-domain or global VIRQ is not expected, but\nmake it non-fatal to avoid trying to look up the irq, since we don\u0027t\nknow which per_cpu(virq_to_irq) it will be in."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:05.136Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/612ef6056855c0aacb9b25d1d853c435754483f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1e7f07ae6b594f1ba5be46c6125b43bc505c5aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/f81db055a793eca9d05f79658ff62adafb41d664"
        },
        {
          "url": "https://git.kernel.org/stable/c/07ce121d93a5e5fb2440a24da3dbf408fcee978e"
        }
      ],
      "title": "xen/events: Return -EEXIST for bound VIRQs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40160",
    "datePublished": "2025-11-12T10:24:36.429Z",
    "dateReserved": "2025-04-16T07:20:57.176Z",
    "dateUpdated": "2026-01-02T15:33:05.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40322 (GCVE-0-2025-40322)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33

Title

fbdev: bitblit: bound-check glyph index in bit_putcs*

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a10cede006f9614b4…
	https://git.kernel.org/stable/c/0998a6cb232674408…
	https://git.kernel.org/stable/c/db5c9a162d2f42bcc…
	https://git.kernel.org/stable/c/c12003bf91fdff381…
	https://git.kernel.org/stable/c/9ba1a7802ca9a2590…
	https://git.kernel.org/stable/c/901f44227072be608…
	https://git.kernel.org/stable/c/efaf89a75a29b2d17…
	https://git.kernel.org/stable/c/18c4ef4e765a798b4…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a10cede006f9614b465cf25609a8753efbfd45cc (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0998a6cb232674408a03e8561dc15aa266b2f53b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < db5c9a162d2f42bcc842b76b3d935dcc050a0eec (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c12003bf91fdff381c55ef54fef3e961a5af2545 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9ba1a7802ca9a2590cef95b253e6526f4364477f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 901f44227072be60812fe8083e83e1533c04eed1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < efaf89a75a29b2d179bf4fe63ca62852e93ad620 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 18c4ef4e765a798b47980555ed665d78b71aeadf (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/bitblit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a10cede006f9614b465cf25609a8753efbfd45cc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0998a6cb232674408a03e8561dc15aa266b2f53b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "db5c9a162d2f42bcc842b76b3d935dcc050a0eec",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c12003bf91fdff381c55ef54fef3e961a5af2545",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9ba1a7802ca9a2590cef95b253e6526f4364477f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "901f44227072be60812fe8083e83e1533c04eed1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "efaf89a75a29b2d179bf4fe63ca62852e93ad620",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "18c4ef4e765a798b47980555ed665d78b71aeadf",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/bitblit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: bitblit: bound-check glyph index in bit_putcs*\n\nbit_putcs_aligned()/unaligned() derived the glyph pointer from the\ncharacter value masked by 0xff/0x1ff, which may exceed the actual font\u0027s\nglyph count and read past the end of the built-in font array.\nClamp the index to the actual glyph count before computing the address.\n\nThis fixes a global out-of-bounds read reported by syzbot."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:34.750Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a10cede006f9614b465cf25609a8753efbfd45cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/0998a6cb232674408a03e8561dc15aa266b2f53b"
        },
        {
          "url": "https://git.kernel.org/stable/c/db5c9a162d2f42bcc842b76b3d935dcc050a0eec"
        },
        {
          "url": "https://git.kernel.org/stable/c/c12003bf91fdff381c55ef54fef3e961a5af2545"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ba1a7802ca9a2590cef95b253e6526f4364477f"
        },
        {
          "url": "https://git.kernel.org/stable/c/901f44227072be60812fe8083e83e1533c04eed1"
        },
        {
          "url": "https://git.kernel.org/stable/c/efaf89a75a29b2d179bf4fe63ca62852e93ad620"
        },
        {
          "url": "https://git.kernel.org/stable/c/18c4ef4e765a798b47980555ed665d78b71aeadf"
        }
      ],
      "title": "fbdev: bitblit: bound-check glyph index in bit_putcs*",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40322",
    "datePublished": "2025-12-08T00:46:49.773Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2026-01-02T15:33:34.750Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68283 (GCVE-0-2025-68283)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-02 15:34

Title

libceph: replace BUG_ON with bounds check for map->max_osd

Summary

In the Linux kernel, the following vulnerability has been resolved: libceph: replace BUG_ON with bounds check for map->max_osd OSD indexes come from untrusted network packets. Boundary checks are added to validate these against map->max_osd. [ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic edits ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/57f5fbae9f1024aba…
	https://git.kernel.org/stable/c/becc488a4d864db33…
	https://git.kernel.org/stable/c/e67e3be690f5f7e3b…
	https://git.kernel.org/stable/c/b4368b7f97014e101…
	https://git.kernel.org/stable/c/ec3797f043756a94e…

Impacted products

Vendor

Product

Version

Linux

Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < 57f5fbae9f1024aba17ff75e00433324115c548a (git)
Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < becc488a4d864db338ebd4e313aa3c77da24b604 (git)
Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < e67e3be690f5f7e3b031cf29e8d91e6d02a8e30d (git)
Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < b4368b7f97014e1015445d61abd0b27c4c6e8424 (git)
Affected: f24e9980eb860d8600cbe5ef3d2fd9295320d229 , < ec3797f043756a94ea2d0f106022e14ac4946c02 (git)

Linux

Affected: 2.6.34
Unaffected: 0 , < 2.6.34 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/osdmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "57f5fbae9f1024aba17ff75e00433324115c548a",
              "status": "affected",
              "version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
              "versionType": "git"
            },
            {
              "lessThan": "becc488a4d864db338ebd4e313aa3c77da24b604",
              "status": "affected",
              "version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
              "versionType": "git"
            },
            {
              "lessThan": "e67e3be690f5f7e3b031cf29e8d91e6d02a8e30d",
              "status": "affected",
              "version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
              "versionType": "git"
            },
            {
              "lessThan": "b4368b7f97014e1015445d61abd0b27c4c6e8424",
              "status": "affected",
              "version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
              "versionType": "git"
            },
            {
              "lessThan": "ec3797f043756a94ea2d0f106022e14ac4946c02",
              "status": "affected",
              "version": "f24e9980eb860d8600cbe5ef3d2fd9295320d229",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/osdmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.34"
            },
            {
              "lessThan": "2.6.34",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: replace BUG_ON with bounds check for map-\u003emax_osd\n\nOSD indexes come from untrusted network packets. Boundary checks are\nadded to validate these against map-\u003emax_osd.\n\n[ idryomov: drop BUG_ON in ceph_get_primary_affinity(), minor cosmetic\n  edits ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:47.447Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/57f5fbae9f1024aba17ff75e00433324115c548a"
        },
        {
          "url": "https://git.kernel.org/stable/c/becc488a4d864db338ebd4e313aa3c77da24b604"
        },
        {
          "url": "https://git.kernel.org/stable/c/e67e3be690f5f7e3b031cf29e8d91e6d02a8e30d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4368b7f97014e1015445d61abd0b27c4c6e8424"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec3797f043756a94ea2d0f106022e14ac4946c02"
        }
      ],
      "title": "libceph: replace BUG_ON with bounds check for map-\u003emax_osd",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68283",
    "datePublished": "2025-12-16T15:06:05.355Z",
    "dateReserved": "2025-12-16T14:48:05.291Z",
    "dateUpdated": "2026-01-02T15:34:47.447Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68347 (GCVE-0-2025-68347)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29

Title

ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events The DSP event handling code in hwdep_read() could write more bytes to the user buffer than requested, when a user provides a buffer smaller than the event header size (8 bytes). Fix by using min_t() to clamp the copy size, This ensures we never copy more than the user requested.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/16620f06174007469…
	https://git.kernel.org/stable/c/ddd32ec66bc4eb696…
	https://git.kernel.org/stable/c/6275fd726d53a8ec7…
	https://git.kernel.org/stable/c/161291bac551821bb…
	https://git.kernel.org/stable/c/cdda0d06f8650e332…
	https://git.kernel.org/stable/c/210d77cca3d0494ed…

Impacted products

Vendor

Product

Version

Linux

Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 16620f0617400746984362c3d6ac547eeae1d35f (git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe (git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 6275fd726d53a8ec724f20201cf3bd862711e17b (git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 161291bac551821bba98eb4ea84c82338578d1b0 (git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < cdda0d06f8650e33255f79839f188bbece44117c (git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 210d77cca3d0494ed30a5c628b20c1d95fa04fb1 (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/firewire/motu/motu-hwdep.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "16620f0617400746984362c3d6ac547eeae1d35f",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            },
            {
              "lessThan": "ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            },
            {
              "lessThan": "6275fd726d53a8ec724f20201cf3bd862711e17b",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            },
            {
              "lessThan": "161291bac551821bba98eb4ea84c82338578d1b0",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            },
            {
              "lessThan": "cdda0d06f8650e33255f79839f188bbece44117c",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            },
            {
              "lessThan": "210d77cca3d0494ed30a5c628b20c1d95fa04fb1",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/firewire/motu/motu-hwdep.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events\n\nThe DSP event handling code in hwdep_read() could write more bytes to\nthe user buffer than requested, when a user provides a buffer smaller\nthan the event header size (8 bytes).\n\nFix by using min_t() to clamp the copy size, This ensures we never copy\nmore than the user requested."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:29:52.270Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/16620f0617400746984362c3d6ac547eeae1d35f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ddd32ec66bc4eb6969fe835e4cc1c0706c6348fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/6275fd726d53a8ec724f20201cf3bd862711e17b"
        },
        {
          "url": "https://git.kernel.org/stable/c/161291bac551821bba98eb4ea84c82338578d1b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdda0d06f8650e33255f79839f188bbece44117c"
        },
        {
          "url": "https://git.kernel.org/stable/c/210d77cca3d0494ed30a5c628b20c1d95fa04fb1"
        }
      ],
      "title": "ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68347",
    "datePublished": "2025-12-24T10:32:39.804Z",
    "dateReserved": "2025-12-16T14:48:05.299Z",
    "dateUpdated": "2026-01-11T16:29:52.270Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40314 (GCVE-0-2025-40314)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:52

Title

usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct "del" and "put" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure only after freeing endpoints").

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0cf9a50af91fbdac3…
	https://git.kernel.org/stable/c/37158ce6ba964b62d…
	https://git.kernel.org/stable/c/ea37884097a0931ab…
	https://git.kernel.org/stable/c/9c52f01429c377a2d…
	https://git.kernel.org/stable/c/fdf573c517627a96f…
	https://git.kernel.org/stable/c/87c5ff5615dc0a371…

Impacted products

Vendor

Product

Version

Linux

Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < 0cf9a50af91fbdac3849f8d950e883a3eaa3ecea (git)
Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < 37158ce6ba964b62d1e3eebd11f03c6900a52dd1 (git)
Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < ea37884097a0931abb8e11e40eacfb25e9fdb5e9 (git)
Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < 9c52f01429c377a2d32cafc977465f37b5384f77 (git)
Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < fdf573c517627a96f5040f988e9b21267806be5c (git)
Affected: 8bc1901ca7b07d864fca11461b3875b31f949765 , < 87c5ff5615dc0a37167e8faf3adeeddc6f1344a3 (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/cdns3/cdnsp-gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0cf9a50af91fbdac3849f8d950e883a3eaa3ecea",
              "status": "affected",
              "version": "8bc1901ca7b07d864fca11461b3875b31f949765",
              "versionType": "git"
            },
            {
              "lessThan": "37158ce6ba964b62d1e3eebd11f03c6900a52dd1",
              "status": "affected",
              "version": "8bc1901ca7b07d864fca11461b3875b31f949765",
              "versionType": "git"
            },
            {
              "lessThan": "ea37884097a0931abb8e11e40eacfb25e9fdb5e9",
              "status": "affected",
              "version": "8bc1901ca7b07d864fca11461b3875b31f949765",
              "versionType": "git"
            },
            {
              "lessThan": "9c52f01429c377a2d32cafc977465f37b5384f77",
              "status": "affected",
              "version": "8bc1901ca7b07d864fca11461b3875b31f949765",
              "versionType": "git"
            },
            {
              "lessThan": "fdf573c517627a96f5040f988e9b21267806be5c",
              "status": "affected",
              "version": "8bc1901ca7b07d864fca11461b3875b31f949765",
              "versionType": "git"
            },
            {
              "lessThan": "87c5ff5615dc0a37167e8faf3adeeddc6f1344a3",
              "status": "affected",
              "version": "8bc1901ca7b07d864fca11461b3875b31f949765",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/cdns3/cdnsp-gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget\n\nIn the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget\nstructure (pdev-\u003egadget) was freed before its endpoints.\nThe endpoints are linked via the ep_list in the gadget structure.\nFreeing the gadget first leaves dangling pointers in the endpoint list.\nWhen the endpoints are subsequently freed, this results in a use-after-free.\n\nFix:\nBy separating the usb_del_gadget_udc() operation into distinct \"del\" and\n\"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the\nfinal release of the gadget structure with usb_put_gadget().\n\nA patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure\n only after freeing endpoints\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:52:04.254Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0cf9a50af91fbdac3849f8d950e883a3eaa3ecea"
        },
        {
          "url": "https://git.kernel.org/stable/c/37158ce6ba964b62d1e3eebd11f03c6900a52dd1"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea37884097a0931abb8e11e40eacfb25e9fdb5e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c52f01429c377a2d32cafc977465f37b5384f77"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdf573c517627a96f5040f988e9b21267806be5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/87c5ff5615dc0a37167e8faf3adeeddc6f1344a3"
        }
      ],
      "title": "usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40314",
    "datePublished": "2025-12-08T00:46:40.576Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2025-12-20T08:52:04.254Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40130 (GCVE-0-2025-40130)

Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18

Title

scsi: ufs: core: Fix data race in CPU latency PM QoS request handling

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling The cpu_latency_qos_add/remove/update_request interfaces lack internal synchronization by design, requiring the caller to ensure thread safety. The current implementation relies on the 'pm_qos_enabled' flag, which is insufficient to prevent concurrent access and cannot serve as a proper synchronization mechanism. This has led to data races and list corruption issues. A typical race condition call trace is: [Thread A] ufshcd_pm_qos_exit() --> cpu_latency_qos_remove_request() --> cpu_latency_qos_apply(); --> pm_qos_update_target() --> plist_del <--(1) delete plist node --> memset(req, 0, sizeof(*req)); --> hba->pm_qos_enabled = false; [Thread B] ufshcd_devfreq_target --> ufshcd_devfreq_scale --> ufshcd_scale_clks --> ufshcd_pm_qos_update <--(2) pm_qos_enabled is true --> cpu_latency_qos_update_request --> pm_qos_update_target --> plist_del <--(3) plist node use-after-free Introduces a dedicated mutex to serialize PM QoS operations, preventing data races and ensuring safe access to PM QoS resources, including sysfs interface reads.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d9df61afb8d23c475…
	https://git.kernel.org/stable/c/79dde5f7dc7c038ee…

Impacted products

Vendor

Product

Version

Linux

Affected: 2777e73fc154e2e87233bdcc0e2402b33815198e , < d9df61afb8d23c475f1be3c714da2c34c156ab01 (git)
Affected: 2777e73fc154e2e87233bdcc0e2402b33815198e , < 79dde5f7dc7c038eec903745dc1550cd4139980e (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.17.3 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufs-sysfs.c",
            "drivers/ufs/core/ufshcd.c",
            "include/ufs/ufshcd.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d9df61afb8d23c475f1be3c714da2c34c156ab01",
              "status": "affected",
              "version": "2777e73fc154e2e87233bdcc0e2402b33815198e",
              "versionType": "git"
            },
            {
              "lessThan": "79dde5f7dc7c038eec903745dc1550cd4139980e",
              "status": "affected",
              "version": "2777e73fc154e2e87233bdcc0e2402b33815198e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufs-sysfs.c",
            "drivers/ufs/core/ufshcd.c",
            "include/ufs/ufshcd.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.3",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix data race in CPU latency PM QoS request handling\n\nThe cpu_latency_qos_add/remove/update_request interfaces lack internal\nsynchronization by design, requiring the caller to ensure thread safety.\nThe current implementation relies on the \u0027pm_qos_enabled\u0027 flag, which is\ninsufficient to prevent concurrent access and cannot serve as a proper\nsynchronization mechanism. This has led to data races and list\ncorruption issues.\n\nA typical race condition call trace is:\n\n[Thread A]\nufshcd_pm_qos_exit()\n  --\u003e cpu_latency_qos_remove_request()\n    --\u003e cpu_latency_qos_apply();\n      --\u003e pm_qos_update_target()\n        --\u003e plist_del              \u003c--(1) delete plist node\n    --\u003e memset(req, 0, sizeof(*req));\n  --\u003e hba-\u003epm_qos_enabled = false;\n\n[Thread B]\nufshcd_devfreq_target\n  --\u003e ufshcd_devfreq_scale\n    --\u003e ufshcd_scale_clks\n      --\u003e ufshcd_pm_qos_update     \u003c--(2) pm_qos_enabled is true\n        --\u003e cpu_latency_qos_update_request\n          --\u003e pm_qos_update_target\n            --\u003e plist_del          \u003c--(3) plist node use-after-free\n\nIntroduces a dedicated mutex to serialize PM QoS operations, preventing\ndata races and ensuring safe access to PM QoS resources, including sysfs\ninterface reads."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:18:35.909Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d9df61afb8d23c475f1be3c714da2c34c156ab01"
        },
        {
          "url": "https://git.kernel.org/stable/c/79dde5f7dc7c038eec903745dc1550cd4139980e"
        }
      ],
      "title": "scsi: ufs: core: Fix data race in CPU latency PM QoS request handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40130",
    "datePublished": "2025-11-12T10:23:21.605Z",
    "dateReserved": "2025-04-16T07:20:57.170Z",
    "dateUpdated": "2025-12-01T06:18:35.909Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49291 (GCVE-0-2022-49291)

Vulnerability from cvelistv5 – Published: 2025-02-26 01:56 – Updated: 2025-12-23 13:23

Title

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix races among concurrent hw_params and hw_free calls Currently we have neither proper check nor protection against the concurrent calls of PCM hw_params and hw_free ioctls, which may result in a UAF. Since the existing PCM stream lock can't be used for protecting the whole ioctl operations, we need a new mutex to protect those racy calls. This patch introduced a new mutex, runtime->buffer_mutex, and applies it to both hw_params and hw_free ioctl code paths. Along with it, the both functions are slightly modified (the mmap_count check is moved into the state-check block) for code simplicity.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a42aa926843acca96…
	https://git.kernel.org/stable/c/9cb6c40a6ebe4a0cf…
	https://git.kernel.org/stable/c/fbeb492694ce04410…
	https://git.kernel.org/stable/c/0f6947f5f5208f6eb…
	https://git.kernel.org/stable/c/33061d0fba51d2bf7…
	https://git.kernel.org/stable/c/0090c13cbbdffd7da…
	https://git.kernel.org/stable/c/1bbf82d9f961414d6…
	https://git.kernel.org/stable/c/92ee3c60ec9fe6440…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a42aa926843acca96c0dfbde2e835b8137f2f092 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9cb6c40a6ebe4a0cfc9d6a181958211682cffea9 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fbeb492694ce0441053de57699e1e2b7bc148a69 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0f6947f5f5208f6ebd4d76a82a4757e2839a23f8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 33061d0fba51d2bf70a2ef9645f703c33fe8e438 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0090c13cbbdffd7da079ac56f80373a9a1be0bf8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1bbf82d9f961414d6c76a08f7f843ea068e0ab7b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 92ee3c60ec9fe64404dc035e7c41277d74aa26cb (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 4.14.279 , ≤ 4.14.* (semver)
Unaffected: 4.19.243 , ≤ 4.19.* (semver)
Unaffected: 5.4.193 , ≤ 5.4.* (semver)
Unaffected: 5.10.109 , ≤ 5.10.* (semver)
Unaffected: 5.15.32 , ≤ 5.15.* (semver)
Unaffected: 5.16.18 , ≤ 5.16.* (semver)
Unaffected: 5.17.1 , ≤ 5.17.* (semver)
Unaffected: 5.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-49291",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:45.856077Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:29.053Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/sound/pcm.h",
            "sound/core/pcm.c",
            "sound/core/pcm_native.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a42aa926843acca96c0dfbde2e835b8137f2f092",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9cb6c40a6ebe4a0cfc9d6a181958211682cffea9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fbeb492694ce0441053de57699e1e2b7bc148a69",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0f6947f5f5208f6ebd4d76a82a4757e2839a23f8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "33061d0fba51d2bf70a2ef9645f703c33fe8e438",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0090c13cbbdffd7da079ac56f80373a9a1be0bf8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1bbf82d9f961414d6c76a08f7f843ea068e0ab7b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "92ee3c60ec9fe64404dc035e7c41277d74aa26cb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/sound/pcm.h",
            "sound/core/pcm.c",
            "sound/core/pcm_native.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.279",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.193",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.109",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.279",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.243",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.193",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.109",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.32",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix races among concurrent hw_params and hw_free calls\n\nCurrently we have neither proper check nor protection against the\nconcurrent calls of PCM hw_params and hw_free ioctls, which may result\nin a UAF.  Since the existing PCM stream lock can\u0027t be used for\nprotecting the whole ioctl operations, we need a new mutex to protect\nthose racy calls.\n\nThis patch introduced a new mutex, runtime-\u003ebuffer_mutex, and applies\nit to both hw_params and hw_free ioctl code paths.  Along with it, the\nboth functions are slightly modified (the mmap_count check is moved\ninto the state-check block) for code simplicity."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:23:05.506Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a42aa926843acca96c0dfbde2e835b8137f2f092"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cb6c40a6ebe4a0cfc9d6a181958211682cffea9"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbeb492694ce0441053de57699e1e2b7bc148a69"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f6947f5f5208f6ebd4d76a82a4757e2839a23f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/33061d0fba51d2bf70a2ef9645f703c33fe8e438"
        },
        {
          "url": "https://git.kernel.org/stable/c/0090c13cbbdffd7da079ac56f80373a9a1be0bf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bbf82d9f961414d6c76a08f7f843ea068e0ab7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/92ee3c60ec9fe64404dc035e7c41277d74aa26cb"
        }
      ],
      "title": "ALSA: pcm: Fix races among concurrent hw_params and hw_free calls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49291",
    "datePublished": "2025-02-26T01:56:27.986Z",
    "dateReserved": "2025-02-26T01:49:39.302Z",
    "dateUpdated": "2025-12-23T13:23:05.506Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40220 (GCVE-0-2025-40220)

Vulnerability from cvelistv5 – Published: 2025-12-04 14:50 – Updated: 2025-12-04 14:50

Title

fuse: fix livelock in synchronous file put from fuseblk workers

Summary

In the Linux kernel, the following vulnerability has been resolved: fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: "By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/548e1f2bac1d4df91…
	https://git.kernel.org/stable/c/cfd1aa3e2b71f3327…
	https://git.kernel.org/stable/c/83b375c6efef69b10…
	https://git.kernel.org/stable/c/bfd17b6138df0122a…
	https://git.kernel.org/stable/c/b26923512dbe57ae4…
	https://git.kernel.org/stable/c/f19a1390af448d9e1…
	https://git.kernel.org/stable/c/26e5c67deb2e1f42a…

Impacted products

Vendor

Product

Version

Linux

Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < 548e1f2bac1d4df91a6138f26bb4ab00323fd948 (git)
Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < cfd1aa3e2b71f3327cb373c45a897c9028c62b35 (git)
Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < 83b375c6efef69b1066ad2d79601221e7892745a (git)
Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < bfd17b6138df0122a95989457d8e18ce0b86165e (git)
Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < b26923512dbe57ae4917bafd31396d22a9d1691a (git)
Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < f19a1390af448d9e193c08e28ea5f727bf3c3049 (git)
Affected: 5a18ec176c934ca1bc9dc61580a5e0e90a9b5733 , < 26e5c67deb2e1f42a951f022fdf5b9f7eb747b01 (git)
Affected: 9efe56738fecd591b5bf366a325440f9b457ebd6 (git)
Affected: 5c46eb076e0a1b2c1769287cd6942e4594ade1b1 (git)
Affected: 83e6726210d6c815ce044437106c738eda5ff6f6 (git)
Affected: 23d154c71721fd0fa6199851078f32e6bd765664 (git)
Affected: ca3edc920f5fd7d8ac040caaf109f925c24620a0 (git)

Linux

Affected: 2.6.38
Unaffected: 0 , < 2.6.38 (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.196 , ≤ 5.15.* (semver)
Unaffected: 6.1.158 , ≤ 6.1.* (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/fuse/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "548e1f2bac1d4df91a6138f26bb4ab00323fd948",
              "status": "affected",
              "version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
              "versionType": "git"
            },
            {
              "lessThan": "cfd1aa3e2b71f3327cb373c45a897c9028c62b35",
              "status": "affected",
              "version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
              "versionType": "git"
            },
            {
              "lessThan": "83b375c6efef69b1066ad2d79601221e7892745a",
              "status": "affected",
              "version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
              "versionType": "git"
            },
            {
              "lessThan": "bfd17b6138df0122a95989457d8e18ce0b86165e",
              "status": "affected",
              "version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
              "versionType": "git"
            },
            {
              "lessThan": "b26923512dbe57ae4917bafd31396d22a9d1691a",
              "status": "affected",
              "version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
              "versionType": "git"
            },
            {
              "lessThan": "f19a1390af448d9e193c08e28ea5f727bf3c3049",
              "status": "affected",
              "version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
              "versionType": "git"
            },
            {
              "lessThan": "26e5c67deb2e1f42a951f022fdf5b9f7eb747b01",
              "status": "affected",
              "version": "5a18ec176c934ca1bc9dc61580a5e0e90a9b5733",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9efe56738fecd591b5bf366a325440f9b457ebd6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5c46eb076e0a1b2c1769287cd6942e4594ade1b1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "83e6726210d6c815ce044437106c738eda5ff6f6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "23d154c71721fd0fa6199851078f32e6bd765664",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ca3edc920f5fd7d8ac040caaf109f925c24620a0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/fuse/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.32.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.33.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.34.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.35.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.37.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix livelock in synchronous file put from fuseblk workers\n\nI observed a hang when running generic/323 against a fuseblk server.\nThis test opens a file, initiates a lot of AIO writes to that file\ndescriptor, and closes the file descriptor before the writes complete.\nUnsurprisingly, the AIO exerciser threads are mostly stuck waiting for\nresponses from the fuseblk server:\n\n# cat /proc/372265/task/372313/stack\n[\u003c0\u003e] request_wait_answer+0x1fe/0x2a0 [fuse]\n[\u003c0\u003e] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[\u003c0\u003e] fuse_do_getattr+0xfc/0x1f0 [fuse]\n[\u003c0\u003e] fuse_file_read_iter+0xbe/0x1c0 [fuse]\n[\u003c0\u003e] aio_read+0x130/0x1e0\n[\u003c0\u003e] io_submit_one+0x542/0x860\n[\u003c0\u003e] __x64_sys_io_submit+0x98/0x1a0\n[\u003c0\u003e] do_syscall_64+0x37/0xf0\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nBut the /weird/ part is that the fuseblk server threads are waiting for\nresponses from itself:\n\n# cat /proc/372210/task/372232/stack\n[\u003c0\u003e] request_wait_answer+0x1fe/0x2a0 [fuse]\n[\u003c0\u003e] __fuse_simple_request+0xd3/0x2b0 [fuse]\n[\u003c0\u003e] fuse_file_put+0x9a/0xd0 [fuse]\n[\u003c0\u003e] fuse_release+0x36/0x50 [fuse]\n[\u003c0\u003e] __fput+0xec/0x2b0\n[\u003c0\u003e] task_work_run+0x55/0x90\n[\u003c0\u003e] syscall_exit_to_user_mode+0xe9/0x100\n[\u003c0\u003e] do_syscall_64+0x43/0xf0\n[\u003c0\u003e] entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe fuseblk server is fuse2fs so there\u0027s nothing all that exciting in\nthe server itself.  So why is the fuse server calling fuse_file_put?\nThe commit message for the fstest sheds some light on that:\n\n\"By closing the file descriptor before calling io_destroy, you pretty\nmuch guarantee that the last put on the ioctx will be done in interrupt\ncontext (during I/O completion).\n\nAha.  AIO fgets a new struct file from the fd when it queues the ioctx.\nThe completion of the FUSE_WRITE command from userspace causes the fuse\nserver to call the AIO completion function.  The completion puts the\nstruct file, queuing a delayed fput to the fuse server task.  When the\nfuse server task returns to userspace, it has to run the delayed fput,\nwhich in the case of a fuseblk server, it does synchronously.\n\nSending the FUSE_RELEASE command sychronously from fuse server threads\nis a bad idea because a client program can initiate enough simultaneous\nAIOs such that all the fuse server threads end up in delayed_fput, and\nnow there aren\u0027t any threads left to handle the queued fuse commands.\n\nFix this by only using asynchronous fputs when closing files, and leave\na comment explaining why."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T14:50:44.108Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/548e1f2bac1d4df91a6138f26bb4ab00323fd948"
        },
        {
          "url": "https://git.kernel.org/stable/c/cfd1aa3e2b71f3327cb373c45a897c9028c62b35"
        },
        {
          "url": "https://git.kernel.org/stable/c/83b375c6efef69b1066ad2d79601221e7892745a"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfd17b6138df0122a95989457d8e18ce0b86165e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b26923512dbe57ae4917bafd31396d22a9d1691a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f19a1390af448d9e193c08e28ea5f727bf3c3049"
        },
        {
          "url": "https://git.kernel.org/stable/c/26e5c67deb2e1f42a951f022fdf5b9f7eb747b01"
        }
      ],
      "title": "fuse: fix livelock in synchronous file put from fuseblk workers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40220",
    "datePublished": "2025-12-04T14:50:44.108Z",
    "dateReserved": "2025-04-16T07:20:57.180Z",
    "dateUpdated": "2025-12-04T14:50:44.108Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40123 (GCVE-0-2025-40123)

Vulnerability from cvelistv5 – Published: 2025-11-12 10:23 – Updated: 2025-12-01 06:18

Title

bpf: Enforce expected_attach_type for tailcall compatibility

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce expected_attach_type for tailcall compatibility Yinhao et al. recently reported: Our fuzzer tool discovered an uninitialized pointer issue in the bpf_prog_test_run_xdp() function within the Linux kernel's BPF subsystem. This leads to a NULL pointer dereference when a BPF program attempts to deference the txq member of struct xdp_buff object. The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the entry point for bpf_prog_test_run_xdp() and its expected_attach_type can neither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot of a tailcall map it owns. progB's expected_attach_type must be BPF_XDP_DEVMAP to pass xdp_is_valid_access() validation. The program returns struct xdp_md's egress_ifindex, and the latter is only allowed to be accessed under mentioned expected_attach_type. progB is then inserted into the tailcall which progA calls. The underlying issue goes beyond XDP though. Another example are programs of type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well as sock_addr_func_proto() have different logic depending on the programs' expected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME should not be allowed doing a tailcall into a program which calls bpf_bind() out of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT. In short, specifying expected_attach_type allows to open up additional functionality or restrictions beyond what the basic bpf_prog_type enables. The use of tailcalls must not violate these constraints. Fix it by enforcing expected_attach_type in __bpf_prog_map_compatible(). Note that we only enforce this for tailcall maps, but not for BPF devmaps or cpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and cpu_map_bpf_prog_run*() which set up a new environment / context and therefore these situations are not prone to this issue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a99de19128aec0913…
	https://git.kernel.org/stable/c/08cb3dc9d2b44f153…
	https://git.kernel.org/stable/c/f856c598080ba7ce1…
	https://git.kernel.org/stable/c/c1ad19b5d8e231235…
	https://git.kernel.org/stable/c/4540aed51b12bc133…

Impacted products

Vendor

Product

Version

Linux

Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < a99de19128aec0913f3d529f529fbbff5edfaff8 (git)
Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < 08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32 (git)
Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < f856c598080ba7ce1252867b8ecd6ad5bdaf9a6a (git)
Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < c1ad19b5d8e23123503dcaf2d4342e1b90b923ad (git)
Affected: 5e43f899b03a3492ce5fc44e8900becb04dae9c0 , < 4540aed51b12bc13364149bf95f6ecef013197c0 (git)

Linux

Affected: 4.17
Unaffected: 0 , < 4.17 (semver)
Unaffected: 6.1.156 , ≤ 6.1.* (semver)
Unaffected: 6.6.112 , ≤ 6.6.* (semver)
Unaffected: 6.12.53 , ≤ 6.12.* (semver)
Unaffected: 6.17.3 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a99de19128aec0913f3d529f529fbbff5edfaff8",
              "status": "affected",
              "version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
              "versionType": "git"
            },
            {
              "lessThan": "08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32",
              "status": "affected",
              "version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
              "versionType": "git"
            },
            {
              "lessThan": "f856c598080ba7ce1252867b8ecd6ad5bdaf9a6a",
              "status": "affected",
              "version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
              "versionType": "git"
            },
            {
              "lessThan": "c1ad19b5d8e23123503dcaf2d4342e1b90b923ad",
              "status": "affected",
              "version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
              "versionType": "git"
            },
            {
              "lessThan": "4540aed51b12bc13364149bf95f6ecef013197c0",
              "status": "affected",
              "version": "5e43f899b03a3492ce5fc44e8900becb04dae9c0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/bpf.h",
            "kernel/bpf/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.156",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.112",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.53",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.156",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.112",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.53",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.3",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Enforce expected_attach_type for tailcall compatibility\n\nYinhao et al. recently reported:\n\n  Our fuzzer tool discovered an uninitialized pointer issue in the\n  bpf_prog_test_run_xdp() function within the Linux kernel\u0027s BPF subsystem.\n  This leads to a NULL pointer dereference when a BPF program attempts to\n  deference the txq member of struct xdp_buff object.\n\nThe test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the\nentry point for bpf_prog_test_run_xdp() and its expected_attach_type can\nneither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot\nof a tailcall map it owns. progB\u0027s expected_attach_type must be BPF_XDP_DEVMAP\nto pass xdp_is_valid_access() validation. The program returns struct xdp_md\u0027s\negress_ifindex, and the latter is only allowed to be accessed under mentioned\nexpected_attach_type. progB is then inserted into the tailcall which progA\ncalls.\n\nThe underlying issue goes beyond XDP though. Another example are programs\nof type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well\nas sock_addr_func_proto() have different logic depending on the programs\u0027\nexpected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME\nshould not be allowed doing a tailcall into a program which calls bpf_bind()\nout of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT.\n\nIn short, specifying expected_attach_type allows to open up additional\nfunctionality or restrictions beyond what the basic bpf_prog_type enables.\nThe use of tailcalls must not violate these constraints. Fix it by enforcing\nexpected_attach_type in __bpf_prog_map_compatible().\n\nNote that we only enforce this for tailcall maps, but not for BPF devmaps or\ncpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and\ncpu_map_bpf_prog_run*() which set up a new environment / context and therefore\nthese situations are not prone to this issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:18:28.394Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a99de19128aec0913f3d529f529fbbff5edfaff8"
        },
        {
          "url": "https://git.kernel.org/stable/c/08cb3dc9d2b44f153d0bcf2cb966e4a94b5d0f32"
        },
        {
          "url": "https://git.kernel.org/stable/c/f856c598080ba7ce1252867b8ecd6ad5bdaf9a6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/c1ad19b5d8e23123503dcaf2d4342e1b90b923ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/4540aed51b12bc13364149bf95f6ecef013197c0"
        }
      ],
      "title": "bpf: Enforce expected_attach_type for tailcall compatibility",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40123",
    "datePublished": "2025-11-12T10:23:19.589Z",
    "dateReserved": "2025-04-16T07:20:57.169Z",
    "dateUpdated": "2025-12-01T06:18:28.394Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40315 (GCVE-0-2025-40315)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33

Title

usb: gadget: f_fs: Fix epfile null pointer access after ep enable.

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b00d2572c16e8e59e…
	https://git.kernel.org/stable/c/1c0dbd240be3f87ca…
	https://git.kernel.org/stable/c/9ec40fba7357df2d3…
	https://git.kernel.org/stable/c/c53e90563bc148e4e…
	https://git.kernel.org/stable/c/fc1141a530dfc91f0…
	https://git.kernel.org/stable/c/d62b808d5c68a931a…
	https://git.kernel.org/stable/c/30880e9df27332403…
	https://git.kernel.org/stable/c/cfd6f1a7b42f62523…

Impacted products

Vendor

Product

Version

Linux

Affected: c9fc422c9a43e3d58d246334a71f3390401781dc , < b00d2572c16e8e59e979960d3383c2ae9cebd195 (git)
Affected: 0042178a69eb77a979e36a50dcce9794a3140ef8 , < 1c0dbd240be3f87cac321b14e17979b7e9cb6a8f (git)
Affected: 72a8aee863af099d4434314c4536d6c9a61dcf3c , < 9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272 (git)
Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < c53e90563bc148e4e0ad09fe130ba2246d426ea6 (git)
Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < fc1141a530dfc91f0ee19b7f422a2d24829584bc (git)
Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < d62b808d5c68a931ad0849a00a5e3be3dd7e0019 (git)
Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < 30880e9df27332403dd638a82c27921134b3630b (git)
Affected: ebe2b1add1055b903e2acd86b290a85297edc0b3 , < cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4 (git)
Affected: 32048f4be071f9a6966744243f1786f45bb22dc2 (git)
Affected: cfe5f6fd335d882bcc829a1c8a7d462a455c626e (git)
Affected: 3e078b18753669615301d946297bafd69294ad2c (git)

Linux

Affected: 5.17
Unaffected: 0 , < 5.17 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b00d2572c16e8e59e979960d3383c2ae9cebd195",
              "status": "affected",
              "version": "c9fc422c9a43e3d58d246334a71f3390401781dc",
              "versionType": "git"
            },
            {
              "lessThan": "1c0dbd240be3f87cac321b14e17979b7e9cb6a8f",
              "status": "affected",
              "version": "0042178a69eb77a979e36a50dcce9794a3140ef8",
              "versionType": "git"
            },
            {
              "lessThan": "9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272",
              "status": "affected",
              "version": "72a8aee863af099d4434314c4536d6c9a61dcf3c",
              "versionType": "git"
            },
            {
              "lessThan": "c53e90563bc148e4e0ad09fe130ba2246d426ea6",
              "status": "affected",
              "version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
              "versionType": "git"
            },
            {
              "lessThan": "fc1141a530dfc91f0ee19b7f422a2d24829584bc",
              "status": "affected",
              "version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
              "versionType": "git"
            },
            {
              "lessThan": "d62b808d5c68a931ad0849a00a5e3be3dd7e0019",
              "status": "affected",
              "version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
              "versionType": "git"
            },
            {
              "lessThan": "30880e9df27332403dd638a82c27921134b3630b",
              "status": "affected",
              "version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
              "versionType": "git"
            },
            {
              "lessThan": "cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4",
              "status": "affected",
              "version": "ebe2b1add1055b903e2acd86b290a85297edc0b3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "32048f4be071f9a6966744243f1786f45bb22dc2",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cfe5f6fd335d882bcc829a1c8a7d462a455c626e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3e078b18753669615301d946297bafd69294ad2c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "5.4.180",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.10.101",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.15.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.267",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.230",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.16.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Fix epfile null pointer access after ep enable.\n\nA race condition occurs when ffs_func_eps_enable() runs concurrently\nwith ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset()\nsets ffs-\u003eepfiles to NULL before resetting ffs-\u003eeps_count to 0, leading\nto a NULL pointer dereference when accessing epfile-\u003eep in\nffs_func_eps_enable() after successful usb_ep_enable().\n\nThe ffs-\u003eepfiles pointer is set to NULL in both ffs_data_clear() and\nffs_data_close() functions, and its modification is protected by the\nspinlock ffs-\u003eeps_lock. And the whole ffs_func_eps_enable() function\nis also protected by ffs-\u003eeps_lock.\n\nThus, add NULL pointer handling for ffs-\u003eepfiles in the\nffs_func_eps_enable() function to fix issues"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:33.404Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b00d2572c16e8e59e979960d3383c2ae9cebd195"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c0dbd240be3f87cac321b14e17979b7e9cb6a8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ec40fba7357df2d36f4c2e2f3b9b1a4fba0a272"
        },
        {
          "url": "https://git.kernel.org/stable/c/c53e90563bc148e4e0ad09fe130ba2246d426ea6"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc1141a530dfc91f0ee19b7f422a2d24829584bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/d62b808d5c68a931ad0849a00a5e3be3dd7e0019"
        },
        {
          "url": "https://git.kernel.org/stable/c/30880e9df27332403dd638a82c27921134b3630b"
        },
        {
          "url": "https://git.kernel.org/stable/c/cfd6f1a7b42f62523c96d9703ef32b0dbc495ba4"
        }
      ],
      "title": "usb: gadget: f_fs: Fix epfile null pointer access after ep enable.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40315",
    "datePublished": "2025-12-08T00:46:41.896Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2026-01-02T15:33:33.404Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40317 (GCVE-0-2025-40317)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

regmap: slimbus: fix bus_context pointer in regmap init calls

Summary

In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just "slimbus" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two "Fixes" tags. While at this, also correct the same argument in __regmap_init_slimbus().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c0f05129e5734ff3f…
	https://git.kernel.org/stable/c/02d3041caaa3fe4dd…
	https://git.kernel.org/stable/c/d979639f099c6e51f…
	https://git.kernel.org/stable/c/8143e4075d131c528…
	https://git.kernel.org/stable/c/2664bfd8969d1c43d…
	https://git.kernel.org/stable/c/a16e92f8d7dc7371e…
	https://git.kernel.org/stable/c/b65f3303349eaee33…
	https://git.kernel.org/stable/c/434f7349a1f00618a…

Impacted products

Vendor

Product

Version

Linux

Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < c0f05129e5734ff3fd14b2c242709314d9ca5433 (git)
Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1 (git)
Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < d979639f099c6e51f06ce4dd8d8e56364d6c17ba (git)
Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 8143e4075d131c528540417a51966f6697be14eb (git)
Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c (git)
Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < a16e92f8d7dc7371e68f17a9926cb92d2244be7b (git)
Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < b65f3303349eaee333e47d2a99045aa12fa0c3a7 (git)
Affected: 7d6f7fb053ad543da74119df3c4cd7bb46220471 , < 434f7349a1f00618a620b316f091bd13a12bc8d2 (git)

Linux

Affected: 4.16
Unaffected: 0 , < 4.16 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/regmap/regmap-slimbus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c0f05129e5734ff3fd14b2c242709314d9ca5433",
              "status": "affected",
              "version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
              "versionType": "git"
            },
            {
              "lessThan": "02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1",
              "status": "affected",
              "version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
              "versionType": "git"
            },
            {
              "lessThan": "d979639f099c6e51f06ce4dd8d8e56364d6c17ba",
              "status": "affected",
              "version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
              "versionType": "git"
            },
            {
              "lessThan": "8143e4075d131c528540417a51966f6697be14eb",
              "status": "affected",
              "version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
              "versionType": "git"
            },
            {
              "lessThan": "2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c",
              "status": "affected",
              "version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
              "versionType": "git"
            },
            {
              "lessThan": "a16e92f8d7dc7371e68f17a9926cb92d2244be7b",
              "status": "affected",
              "version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
              "versionType": "git"
            },
            {
              "lessThan": "b65f3303349eaee333e47d2a99045aa12fa0c3a7",
              "status": "affected",
              "version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
              "versionType": "git"
            },
            {
              "lessThan": "434f7349a1f00618a620b316f091bd13a12bc8d2",
              "status": "affected",
              "version": "7d6f7fb053ad543da74119df3c4cd7bb46220471",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/regmap/regmap-slimbus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nregmap: slimbus: fix bus_context pointer in regmap init calls\n\nCommit 4e65bda8273c (\"ASoC: wcd934x: fix error handling in\nwcd934x_codec_parse_data()\") revealed the problem in the slimbus regmap.\nThat commit breaks audio playback, for instance, on sdm845 Thundercomm\nDragonboard 845c board:\n\n Unable to handle kernel paging request at virtual address ffff8000847cbad4\n ...\n CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT\n Hardware name: Thundercomm Dragonboard 845c (DT)\n ...\n Call trace:\n  slim_xfer_msg+0x24/0x1ac [slimbus] (P)\n  slim_read+0x48/0x74 [slimbus]\n  regmap_slimbus_read+0x18/0x24 [regmap_slimbus]\n  _regmap_raw_read+0xe8/0x174\n  _regmap_bus_read+0x44/0x80\n  _regmap_read+0x60/0xd8\n  _regmap_update_bits+0xf4/0x140\n  _regmap_select_page+0xa8/0x124\n  _regmap_raw_write_impl+0x3b8/0x65c\n  _regmap_bus_raw_write+0x60/0x80\n  _regmap_write+0x58/0xc0\n  regmap_write+0x4c/0x80\n  wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x]\n  snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core]\n  __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core]\n  dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core]\n  dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core]\n  snd_pcm_hw_params+0x124/0x464 [snd_pcm]\n  snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm]\n  snd_pcm_ioctl+0x34/0x4c [snd_pcm]\n  __arm64_sys_ioctl+0xac/0x104\n  invoke_syscall+0x48/0x104\n  el0_svc_common.constprop.0+0x40/0xe0\n  do_el0_svc+0x1c/0x28\n  el0_svc+0x34/0xec\n  el0t_64_sync_handler+0xa0/0xf0\n  el0t_64_sync+0x198/0x19c\n\nThe __devm_regmap_init_slimbus() started to be used instead of\n__regmap_init_slimbus() after the commit mentioned above and turns out\nthe incorrect bus_context pointer (3rd argument) was used in\n__devm_regmap_init_slimbus(). It should be just \"slimbus\" (which is equal\nto \u0026slimbus-\u003edev). Correct it. The wcd934x codec seems to be the only or\nthe first user of devm_regmap_init_slimbus() but we should fix it till\nthe point where __devm_regmap_init_slimbus() was introduced therefore\ntwo \"Fixes\" tags.\n\nWhile at this, also correct the same argument in __regmap_init_slimbus()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:44.287Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c0f05129e5734ff3fd14b2c242709314d9ca5433"
        },
        {
          "url": "https://git.kernel.org/stable/c/02d3041caaa3fe4dd69e5a8afd1ac6b918ddc6a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/d979639f099c6e51f06ce4dd8d8e56364d6c17ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/8143e4075d131c528540417a51966f6697be14eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/2664bfd8969d1c43dcbe3ea313f130dfa6b74f4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/a16e92f8d7dc7371e68f17a9926cb92d2244be7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b65f3303349eaee333e47d2a99045aa12fa0c3a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/434f7349a1f00618a620b316f091bd13a12bc8d2"
        }
      ],
      "title": "regmap: slimbus: fix bus_context pointer in regmap init calls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40317",
    "datePublished": "2025-12-08T00:46:44.287Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2025-12-08T00:46:44.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68180 (GCVE-0-2025-68180)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42

Title

drm/amd/display: Fix NULL deref in debugfs odm_combine_segments

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 </TASK> Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d990c7f180aa7c6ff…
	https://git.kernel.org/stable/c/c05fe5d47baac212a…
	https://git.kernel.org/stable/c/6dd97ceb645c08aca…

Impacted products

Vendor

Product

Version

Linux

Affected: 07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b , < d990c7f180aa7c6ffd2c1b3c77160e50672039ce (git)
Affected: 07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b , < c05fe5d47baac212a3a74b279239f495be101629 (git)
Affected: 07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b , < 6dd97ceb645c08aca9fc871a3006e47fe699f0ac (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d990c7f180aa7c6ffd2c1b3c77160e50672039ce",
              "status": "affected",
              "version": "07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b",
              "versionType": "git"
            },
            {
              "lessThan": "c05fe5d47baac212a3a74b279239f495be101629",
              "status": "affected",
              "version": "07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b",
              "versionType": "git"
            },
            {
              "lessThan": "6dd97ceb645c08aca9fc871a3006e47fe699f0ac",
              "status": "affected",
              "version": "07926ba8a44f0ca9165ee2fb17c9afc7908c3b2b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL deref in debugfs odm_combine_segments\n\nWhen a connector is connected but inactive (e.g., disabled by desktop\nenvironments), pipe_ctx-\u003estream_res.tg will be destroyed. Then, reading\nodm_combine_segments causes kernel NULL pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy)  e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6\n Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025\n RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]\n Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 \u003c48\u003e 8b 07 48 8b 80 08 02 00\u003e\n RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286\n RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8\n RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0\n R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08\n R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001\n FS:  00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0\n PKRU: 55555554\n Call Trace:\n  \u003cTASK\u003e\n  seq_read_iter+0x125/0x490\n  ? __alloc_frozen_pages_noprof+0x18f/0x350\n  seq_read+0x12c/0x170\n  full_proxy_read+0x51/0x80\n  vfs_read+0xbc/0x390\n  ? __handle_mm_fault+0xa46/0xef0\n  ? do_syscall_64+0x71/0x900\n  ksys_read+0x73/0xf0\n  do_syscall_64+0x71/0x900\n  ? count_memcg_events+0xc2/0x190\n  ? handle_mm_fault+0x1d7/0x2d0\n  ? do_user_addr_fault+0x21a/0x690\n  ? exc_page_fault+0x7e/0x1a0\n  entry_SYSCALL_64_after_hwframe+0x6c/0x74\n RIP: 0033:0x7f44d4031687\n Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 \u003c5b\u003e c3 0f 1f 80 00 00 00 00\u003e\n RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000\n RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687\n RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003\n RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000\n  \u003c/TASK\u003e\n Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x\u003e\n  snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn\u003e\n  platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp\u003e\n CR2: 0000000000000000\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu]\n Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 \u003c48\u003e 8b 07 48 8b 80 08 02 00\u003e\n RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286\n RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8\n RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0\n R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08\n R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001\n FS:  00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0\n PKRU: 55555554\n\nFix this by checking pipe_ctx-\u003e\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:42:58.687Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d990c7f180aa7c6ffd2c1b3c77160e50672039ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/c05fe5d47baac212a3a74b279239f495be101629"
        },
        {
          "url": "https://git.kernel.org/stable/c/6dd97ceb645c08aca9fc871a3006e47fe699f0ac"
        }
      ],
      "title": "drm/amd/display: Fix NULL deref in debugfs odm_combine_segments",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68180",
    "datePublished": "2025-12-16T13:42:58.687Z",
    "dateReserved": "2025-12-16T13:41:40.252Z",
    "dateUpdated": "2025-12-16T13:42:58.687Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40359 (GCVE-0-2025-40359)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:39 – Updated: 2025-12-16 13:39

Title

perf/x86/intel: Fix KASAN global-out-of-bounds warning

Summary

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix KASAN global-out-of-bounds warning When running "perf mem record" command on CWF, the below KASAN global-out-of-bounds warning is seen. ================================================================== BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 Call Trace: kasan_report+0xb8/0xf0 cmt_latency_data+0x176/0x1b0 setup_arch_pebs_sample_data+0xf49/0x2560 intel_pmu_drain_arch_pebs+0x577/0xb00 handle_pmi_common+0x6c4/0xc80 The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1b61a1da3d8105ea1…
	https://git.kernel.org/stable/c/710a72e81a7028e1a…
	https://git.kernel.org/stable/c/0ba6502ce167fc3d5…

Impacted products

Vendor

Product

Version

Linux

Affected: 090262439f66df03d4e9d0e52e14104b729e2ef8 , < 1b61a1da3d8105ea1be548c94c2856697eb7ffd1 (git)
Affected: 090262439f66df03d4e9d0e52e14104b729e2ef8 , < 710a72e81a7028e1ad1a10eb14f941f8dd45ffd3 (git)
Affected: 090262439f66df03d4e9d0e52e14104b729e2ef8 , < 0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/events/intel/ds.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b61a1da3d8105ea1be548c94c2856697eb7ffd1",
              "status": "affected",
              "version": "090262439f66df03d4e9d0e52e14104b729e2ef8",
              "versionType": "git"
            },
            {
              "lessThan": "710a72e81a7028e1ad1a10eb14f941f8dd45ffd3",
              "status": "affected",
              "version": "090262439f66df03d4e9d0e52e14104b729e2ef8",
              "versionType": "git"
            },
            {
              "lessThan": "0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251",
              "status": "affected",
              "version": "090262439f66df03d4e9d0e52e14104b729e2ef8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/events/intel/ds.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix KASAN global-out-of-bounds warning\n\nWhen running \"perf mem record\" command on CWF, the below KASAN\nglobal-out-of-bounds warning is seen.\n\n  ==================================================================\n  BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0\n  Read of size 4 at addr ffffffffb721d000 by task dtlb/9850\n\n  Call Trace:\n\n   kasan_report+0xb8/0xf0\n   cmt_latency_data+0x176/0x1b0\n   setup_arch_pebs_sample_data+0xf49/0x2560\n   intel_pmu_drain_arch_pebs+0x577/0xb00\n   handle_pmi_common+0x6c4/0xc80\n\nThe issue is caused by below code in __grt_latency_data(). The code\ntries to access x86_hybrid_pmu structure which doesn\u0027t exist on\nnon-hybrid platform like CWF.\n\n        WARN_ON_ONCE(hybrid_pmu(event-\u003epmu)-\u003epmu_type == hybrid_big)\n\nSo add is_hybrid() check before calling this WARN_ON_ONCE to fix the\nglobal-out-of-bounds access issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:39:58.778Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b61a1da3d8105ea1be548c94c2856697eb7ffd1"
        },
        {
          "url": "https://git.kernel.org/stable/c/710a72e81a7028e1ad1a10eb14f941f8dd45ffd3"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251"
        }
      ],
      "title": "perf/x86/intel: Fix KASAN global-out-of-bounds warning",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40359",
    "datePublished": "2025-12-16T13:39:58.778Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-16T13:39:58.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68185 (GCVE-0-2025-68185)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34

Title

nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing

Summary

In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6025f641a0e30afdc…
	https://git.kernel.org/stable/c/e6cafe71eb3b5579b…
	https://git.kernel.org/stable/c/fa4daf7d11e45b72a…
	https://git.kernel.org/stable/c/504b3fb9948a9e96e…
	https://git.kernel.org/stable/c/eacfd08b26a062f10…
	https://git.kernel.org/stable/c/40be5b9080114f18b…
	https://git.kernel.org/stable/c/f5e570eaab36a110c…
	https://git.kernel.org/stable/c/a890a2e339b929dbd…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6025f641a0e30afdc5aa62017397b1860ad9f677 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e6cafe71eb3b5579b245ba1bd528a181e77f3df1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < fa4daf7d11e45b72aad5d943a7ab991f869fff79 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 504b3fb9948a9e96ebbabdee0d33966a8bab15cb (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < eacfd08b26a062f1095b18719715bc82ad35312e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 40be5b9080114f18b0cea386db415b68a7273c1a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f5e570eaab36a110c6ffda32b87c51170990c2d1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a890a2e339b929dbd843328f9a92a1625404fe63 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/nfs4proc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6025f641a0e30afdc5aa62017397b1860ad9f677",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e6cafe71eb3b5579b245ba1bd528a181e77f3df1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "fa4daf7d11e45b72aad5d943a7ab991f869fff79",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "504b3fb9948a9e96ebbabdee0d33966a8bab15cb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "eacfd08b26a062f1095b18719715bc82ad35312e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "40be5b9080114f18b0cea386db415b68a7273c1a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f5e570eaab36a110c6ffda32b87c51170990c2d1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a890a2e339b929dbd843328f9a92a1625404fe63",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/nfs4proc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs4_setup_readdir(): insufficient locking for -\u003ed_parent-\u003ed_inode dereferencing\n\nTheoretically it\u0027s an oopsable race, but I don\u0027t believe one can manage\nto hit it on real hardware; might become doable on a KVM, but it still\nwon\u0027t be easy to attack.\n\nAnyway, it\u0027s easy to deal with - since xdr_encode_hyper() is just a call of\nput_unaligned_be64(), we can put that under -\u003ed_lock and be done with that."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:15.709Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6025f641a0e30afdc5aa62017397b1860ad9f677"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6cafe71eb3b5579b245ba1bd528a181e77f3df1"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa4daf7d11e45b72aad5d943a7ab991f869fff79"
        },
        {
          "url": "https://git.kernel.org/stable/c/504b3fb9948a9e96ebbabdee0d33966a8bab15cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/eacfd08b26a062f1095b18719715bc82ad35312e"
        },
        {
          "url": "https://git.kernel.org/stable/c/40be5b9080114f18b0cea386db415b68a7273c1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5e570eaab36a110c6ffda32b87c51170990c2d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a890a2e339b929dbd843328f9a92a1625404fe63"
        }
      ],
      "title": "nfs4_setup_readdir(): insufficient locking for -\u003ed_parent-\u003ed_inode dereferencing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68185",
    "datePublished": "2025-12-16T13:43:02.894Z",
    "dateReserved": "2025-12-16T13:41:40.252Z",
    "dateUpdated": "2026-01-02T15:34:15.709Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40235 (GCVE-0-2025-40235)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31

Title

btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots() If fs_info->super_copy or fs_info->super_for_commit allocated failed in btrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info(). Otherwise btrfs_check_leaked_roots() would access NULL pointer because fs_info->allocated_roots had not been initialised. syzkaller reported the following information: ------------[ cut here ]------------ BUG: unable to handle page fault for address: fffffffffffffbb0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...) RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline] RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline] RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline] RIP: 0010:refcount_read include/linux/refcount.h:170 [inline] RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230 [...] Call Trace: <TASK> btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280 btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029 btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097 vfs_get_tree+0x98/0x320 fs/super.c:1759 do_new_mount+0x357/0x660 fs/namespace.c:3899 path_mount+0x716/0x19c0 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f032eaffa8d [...]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b1c2b4e6ffd307720…
	https://git.kernel.org/stable/c/0c2b2d4d053e9840e…
	https://git.kernel.org/stable/c/17679ac6df6c4830b…

Impacted products

Vendor

Product

Version

Linux

Affected: 3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd , < b1c2b4e6ffd307720ab6ce42f6749b0c02ba0a73 (git)
Affected: 3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd , < 0c2b2d4d053e9840e6da6ed581befa20309f281a (git)
Affected: 3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd , < 17679ac6df6c4830ba711835aa8cf961be36cfa1 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b1c2b4e6ffd307720ab6ce42f6749b0c02ba0a73",
              "status": "affected",
              "version": "3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd",
              "versionType": "git"
            },
            {
              "lessThan": "0c2b2d4d053e9840e6da6ed581befa20309f281a",
              "status": "affected",
              "version": "3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd",
              "versionType": "git"
            },
            {
              "lessThan": "17679ac6df6c4830ba711835aa8cf961be36cfa1",
              "status": "affected",
              "version": "3bb17a25bcb09abbd667c6ac86c7c9109ae82bcd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()\n\nIf fs_info-\u003esuper_copy or fs_info-\u003esuper_for_commit allocated failed in\nbtrfs_get_tree_subvol(), then no need to call btrfs_free_fs_info().\nOtherwise btrfs_check_leaked_roots() would access NULL pointer because\nfs_info-\u003eallocated_roots had not been initialised.\n\nsyzkaller reported the following information:\n  ------------[ cut here ]------------\n  BUG: unable to handle page fault for address: fffffffffffffbb0\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 64c9067 P4D 64c9067 PUD 64cb067 PMD 0\n  Oops: Oops: 0000 [#1] SMP KASAN PTI\n  CPU: 0 UID: 0 PID: 1402 Comm: syz.1.35 Not tainted 6.15.8 #4 PREEMPT(lazy)\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), (...)\n  RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]\n  RIP: 0010:raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]\n  RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]\n  RIP: 0010:refcount_read include/linux/refcount.h:170 [inline]\n  RIP: 0010:btrfs_check_leaked_roots+0x18f/0x2c0 fs/btrfs/disk-io.c:1230\n  [...]\n  Call Trace:\n   \u003cTASK\u003e\n   btrfs_free_fs_info+0x310/0x410 fs/btrfs/disk-io.c:1280\n   btrfs_get_tree_subvol+0x592/0x6b0 fs/btrfs/super.c:2029\n   btrfs_get_tree+0x63/0x80 fs/btrfs/super.c:2097\n   vfs_get_tree+0x98/0x320 fs/super.c:1759\n   do_new_mount+0x357/0x660 fs/namespace.c:3899\n   path_mount+0x716/0x19c0 fs/namespace.c:4226\n   do_mount fs/namespace.c:4239 [inline]\n   __do_sys_mount fs/namespace.c:4450 [inline]\n   __se_sys_mount fs/namespace.c:4427 [inline]\n   __x64_sys_mount+0x28c/0x310 fs/namespace.c:4427\n   do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n   do_syscall_64+0x92/0x180 arch/x86/entry/syscall_64.c:94\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7f032eaffa8d\n  [...]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T15:31:25.785Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b1c2b4e6ffd307720ab6ce42f6749b0c02ba0a73"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c2b2d4d053e9840e6da6ed581befa20309f281a"
        },
        {
          "url": "https://git.kernel.org/stable/c/17679ac6df6c4830ba711835aa8cf961be36cfa1"
        }
      ],
      "title": "btrfs: directly free partially initialized fs_info in btrfs_check_leaked_roots()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40235",
    "datePublished": "2025-12-04T15:31:25.785Z",
    "dateReserved": "2025-04-16T07:20:57.180Z",
    "dateUpdated": "2025-12-04T15:31:25.785Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40321 (GCVE-0-2025-40321)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c863b9c7b4e9af0b7…
	https://git.kernel.org/stable/c/e1fc9afcce9139791…
	https://git.kernel.org/stable/c/55f60a72a178909ec…
	https://git.kernel.org/stable/c/c2b0f8d3e7358c33d…
	https://git.kernel.org/stable/c/64e3175d1c8a3bea0…
	https://git.kernel.org/stable/c/a6eed58249e7d60f8…
	https://git.kernel.org/stable/c/dbc7357b6aae686d9…
	https://git.kernel.org/stable/c/3776c685ebe5f43e9…

Impacted products

Vendor

Product

Version

Linux

Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < c863b9c7b4e9af0b7931cb791ec91971a50f1a25 (git)
Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < e1fc9afcce9139791260f962541282d47fbb508d (git)
Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 55f60a72a178909ece4e32987e4c642ba57e1cf4 (git)
Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < c2b0f8d3e7358c33d90f0e62765d474f25f26a45 (git)
Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 64e3175d1c8a3bea02032e7c9d1befd5f43786fa (git)
Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < a6eed58249e7d60f856900e682992300f770f64b (git)
Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a (git)
Affected: 18e2f61db3b708e0a22ccc403cb6ab2203d6faab , < 3776c685ebe5f43e9060af06872661de55e80b9a (git)

Linux

Affected: 3.9
Unaffected: 0 , < 3.9 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c",
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c",
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c863b9c7b4e9af0b7931cb791ec91971a50f1a25",
              "status": "affected",
              "version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
              "versionType": "git"
            },
            {
              "lessThan": "e1fc9afcce9139791260f962541282d47fbb508d",
              "status": "affected",
              "version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
              "versionType": "git"
            },
            {
              "lessThan": "55f60a72a178909ece4e32987e4c642ba57e1cf4",
              "status": "affected",
              "version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
              "versionType": "git"
            },
            {
              "lessThan": "c2b0f8d3e7358c33d90f0e62765d474f25f26a45",
              "status": "affected",
              "version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
              "versionType": "git"
            },
            {
              "lessThan": "64e3175d1c8a3bea02032e7c9d1befd5f43786fa",
              "status": "affected",
              "version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
              "versionType": "git"
            },
            {
              "lessThan": "a6eed58249e7d60f856900e682992300f770f64b",
              "status": "affected",
              "version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
              "versionType": "git"
            },
            {
              "lessThan": "dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a",
              "status": "affected",
              "version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
              "versionType": "git"
            },
            {
              "lessThan": "3776c685ebe5f43e9060af06872661de55e80b9a",
              "status": "affected",
              "version": "18e2f61db3b708e0a22ccc403cb6ab2203d6faab",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c",
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c",
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode\n\nCurrently, whenever there is a need to transmit an Action frame,\nthe brcmfmac driver always uses the P2P vif to send the \"actframe\" IOVAR to\nfirmware. The P2P interfaces were available when wpa_supplicant is managing\nthe wlan interface.\n\nHowever, the P2P interfaces are not created/initialized when only hostapd\nis managing the wlan interface. And if hostapd receives an ANQP Query REQ\nAction frame even from an un-associated STA, the brcmfmac driver tries\nto use an uninitialized P2P vif pointer for sending the IOVAR to firmware.\nThis NULL pointer dereferencing triggers a driver crash.\n\n [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000000\n [...]\n [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)\n [...]\n [ 1417.075653] Call trace:\n [ 1417.075662]  brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]\n [ 1417.075738]  brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]\n [ 1417.075810]  cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]\n [ 1417.076067]  nl80211_tx_mgmt+0x238/0x388 [cfg80211]\n [ 1417.076281]  genl_family_rcv_msg_doit+0xe0/0x158\n [ 1417.076302]  genl_rcv_msg+0x220/0x2a0\n [ 1417.076317]  netlink_rcv_skb+0x68/0x140\n [ 1417.076330]  genl_rcv+0x40/0x60\n [ 1417.076343]  netlink_unicast+0x330/0x3b8\n [ 1417.076357]  netlink_sendmsg+0x19c/0x3f8\n [ 1417.076370]  __sock_sendmsg+0x64/0xc0\n [ 1417.076391]  ____sys_sendmsg+0x268/0x2a0\n [ 1417.076408]  ___sys_sendmsg+0xb8/0x118\n [ 1417.076427]  __sys_sendmsg+0x90/0xf8\n [ 1417.076445]  __arm64_sys_sendmsg+0x2c/0x40\n [ 1417.076465]  invoke_syscall+0x50/0x120\n [ 1417.076486]  el0_svc_common.constprop.0+0x48/0xf0\n [ 1417.076506]  do_el0_svc+0x24/0x38\n [ 1417.076525]  el0_svc+0x30/0x100\n [ 1417.076548]  el0t_64_sync_handler+0x100/0x130\n [ 1417.076569]  el0t_64_sync+0x190/0x198\n [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)\n\nFix this, by always using the vif corresponding to the wdev on which the\nAction frame Transmission request was initiated by the userspace. This way,\neven if P2P vif is not available, the IOVAR is sent to firmware on AP vif\nand the ANQP Query RESP Action frame is transmitted without crashing the\ndriver.\n\nMove init_completion() for \"send_af_done\" from brcmf_p2p_create_p2pdev()\nto brcmf_p2p_attach(). Because the former function would not get executed\nwhen only hostapd is managing wlan interface, and it is not safe to do\nreinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior\ninit_completion().\n\nAnd in the brcmf_p2p_tx_action_frame() function, the condition check for\nP2P Presence response frame is not needed, since the wpa_supplicant is\nproperly sending the P2P Presense Response frame on the P2P-GO vif instead\nof the P2P-Device vif.\n\n[Cc stable]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:48.724Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c863b9c7b4e9af0b7931cb791ec91971a50f1a25"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1fc9afcce9139791260f962541282d47fbb508d"
        },
        {
          "url": "https://git.kernel.org/stable/c/55f60a72a178909ece4e32987e4c642ba57e1cf4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2b0f8d3e7358c33d90f0e62765d474f25f26a45"
        },
        {
          "url": "https://git.kernel.org/stable/c/64e3175d1c8a3bea02032e7c9d1befd5f43786fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6eed58249e7d60f856900e682992300f770f64b"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbc7357b6aae686d9404e1dd7e2e6cf92c3a1b5a"
        },
        {
          "url": "https://git.kernel.org/stable/c/3776c685ebe5f43e9060af06872661de55e80b9a"
        }
      ],
      "title": "wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40321",
    "datePublished": "2025-12-08T00:46:48.724Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2025-12-08T00:46:48.724Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68345 (GCVE-0-2025-68345)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29

Title

ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() The acpi_get_first_physical_node() function can return NULL, in which case the get_device() function also returns NULL, but this value is then dereferenced without checking,so add a check to prevent a crash. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e63f9c81ca28b06ee…
	https://git.kernel.org/stable/c/7a35a505d76a4b6cd…
	https://git.kernel.org/stable/c/e6ba921b17797ccc5…
	https://git.kernel.org/stable/c/c28946b7409b7b68f…
	https://git.kernel.org/stable/c/343fa9800cf9870ec…
	https://git.kernel.org/stable/c/c34b04cc6178f33c0…

Impacted products

Vendor

Product

Version

Linux

Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < e63f9c81ca28b06eeeac3630faddc50717897351 (git)
Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < 7a35a505d76a4b6cd426b59ff2d800d0394cc5d3 (git)
Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < e6ba921b17797ccc545d80e0dbccb5fab91c248c (git)
Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < c28946b7409b7b68fb0481ec738c8b04578b11c6 (git)
Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < 343fa9800cf9870ec681e21f0a6f2157b74ae520 (git)
Affected: 7b2f3eb492dac7665c75df067e4d8e4869589f4a , < c34b04cc6178f33c08331568c7fd25c5b9a39f66 (git)

Linux

Affected: 5.17
Unaffected: 0 , < 5.17 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/hda/codecs/side-codecs/cs35l41_hda.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e63f9c81ca28b06eeeac3630faddc50717897351",
              "status": "affected",
              "version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
              "versionType": "git"
            },
            {
              "lessThan": "7a35a505d76a4b6cd426b59ff2d800d0394cc5d3",
              "status": "affected",
              "version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
              "versionType": "git"
            },
            {
              "lessThan": "e6ba921b17797ccc545d80e0dbccb5fab91c248c",
              "status": "affected",
              "version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
              "versionType": "git"
            },
            {
              "lessThan": "c28946b7409b7b68fb0481ec738c8b04578b11c6",
              "status": "affected",
              "version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
              "versionType": "git"
            },
            {
              "lessThan": "343fa9800cf9870ec681e21f0a6f2157b74ae520",
              "status": "affected",
              "version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
              "versionType": "git"
            },
            {
              "lessThan": "c34b04cc6178f33c08331568c7fd25c5b9a39f66",
              "status": "affected",
              "version": "7b2f3eb492dac7665c75df067e4d8e4869589f4a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/hda/codecs/side-codecs/cs35l41_hda.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()\n\nThe acpi_get_first_physical_node() function can return NULL, in which\ncase the get_device() function also returns NULL, but this value is\nthen dereferenced without checking,so add a check to prevent a crash.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:29:49.942Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e63f9c81ca28b06eeeac3630faddc50717897351"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a35a505d76a4b6cd426b59ff2d800d0394cc5d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6ba921b17797ccc545d80e0dbccb5fab91c248c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c28946b7409b7b68fb0481ec738c8b04578b11c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/343fa9800cf9870ec681e21f0a6f2157b74ae520"
        },
        {
          "url": "https://git.kernel.org/stable/c/c34b04cc6178f33c08331568c7fd25c5b9a39f66"
        }
      ],
      "title": "ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68345",
    "datePublished": "2025-12-24T10:32:38.378Z",
    "dateReserved": "2025-12-16T14:48:05.299Z",
    "dateUpdated": "2026-01-11T16:29:49.942Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68167 (GCVE-0-2025-68167)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42

Title

gpiolib: fix invalid pointer access in debugfs

Summary

In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/70180a6031056096c…
	https://git.kernel.org/stable/c/3c91c8f424d3e44c8…
	https://git.kernel.org/stable/c/2f6115ad8864cf3f4…

Impacted products

Vendor

Product

Version

Linux

Affected: e348544f7994d252427ed3ae637c7081cbb90f66 , < 70180a6031056096c93ed2f47c41803268bdd91c (git)
Affected: e348544f7994d252427ed3ae637c7081cbb90f66 , < 3c91c8f424d3e44c8645ab765a38773e58afb07d (git)
Affected: e348544f7994d252427ed3ae637c7081cbb90f66 , < 2f6115ad8864cf3f48598f26c74c7c8e5c391919 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpiolib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "70180a6031056096c93ed2f47c41803268bdd91c",
              "status": "affected",
              "version": "e348544f7994d252427ed3ae637c7081cbb90f66",
              "versionType": "git"
            },
            {
              "lessThan": "3c91c8f424d3e44c8645ab765a38773e58afb07d",
              "status": "affected",
              "version": "e348544f7994d252427ed3ae637c7081cbb90f66",
              "versionType": "git"
            },
            {
              "lessThan": "2f6115ad8864cf3f48598f26c74c7c8e5c391919",
              "status": "affected",
              "version": "e348544f7994d252427ed3ae637c7081cbb90f66",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpiolib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpiolib: fix invalid pointer access in debugfs\n\nIf the memory allocation in gpiolib_seq_start() fails, the s-\u003eprivate\nfield remains uninitialized and is later dereferenced without checking\nin gpiolib_seq_stop(). Initialize s-\u003eprivate to NULL before calling\nkzalloc() and check it before dereferencing it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:42:47.480Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/70180a6031056096c93ed2f47c41803268bdd91c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c91c8f424d3e44c8645ab765a38773e58afb07d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f6115ad8864cf3f48598f26c74c7c8e5c391919"
        }
      ],
      "title": "gpiolib: fix invalid pointer access in debugfs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68167",
    "datePublished": "2025-12-16T13:42:47.480Z",
    "dateReserved": "2025-12-16T13:41:40.250Z",
    "dateUpdated": "2025-12-16T13:42:47.480Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40279 (GCVE-0-2025-40279)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51

Title

net: sched: act_connmark: initialize struct tc_ife to fix kernel leak

Summary

In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/218b67c8c8246d47a…
	https://git.kernel.org/stable/c/73cc56c608c209d3d…
	https://git.kernel.org/stable/c/31e4aa93e2e5b5647…
	https://git.kernel.org/stable/c/51cb05d4fd6325968…
	https://git.kernel.org/stable/c/25837889ec062f2b7…
	https://git.kernel.org/stable/c/62b656e43eaeae445…

Impacted products

Vendor

Product

Version

Linux

Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 218b67c8c8246d47a2a7910eae80abe4861fe2b7 (git)
Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 73cc56c608c209d3d666cc571293b090a471da70 (git)
Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 31e4aa93e2e5b5647fc235b0f6ee329646878f9e (git)
Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 51cb05d4fd632596816ba44e882e84db9fb28a7e (git)
Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 25837889ec062f2b7618142cd80253dff3da5343 (git)
Affected: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae , < 62b656e43eaeae445a39cd8021a4f47065af4389 (git)

Linux

Affected: 4.0
Unaffected: 0 , < 4.0 (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_connmark.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "218b67c8c8246d47a2a7910eae80abe4861fe2b7",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            },
            {
              "lessThan": "73cc56c608c209d3d666cc571293b090a471da70",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            },
            {
              "lessThan": "31e4aa93e2e5b5647fc235b0f6ee329646878f9e",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            },
            {
              "lessThan": "51cb05d4fd632596816ba44e882e84db9fb28a7e",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            },
            {
              "lessThan": "25837889ec062f2b7618142cd80253dff3da5343",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            },
            {
              "lessThan": "62b656e43eaeae445a39cd8021a4f47065af4389",
              "status": "affected",
              "version": "22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_connmark.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.0"
            },
            {
              "lessThan": "4.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_connmark: initialize struct tc_ife to fix kernel leak\n\nIn tcf_connmark_dump(), the variable \u0027opt\u0027 was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:51:03.010Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/218b67c8c8246d47a2a7910eae80abe4861fe2b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/73cc56c608c209d3d666cc571293b090a471da70"
        },
        {
          "url": "https://git.kernel.org/stable/c/31e4aa93e2e5b5647fc235b0f6ee329646878f9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/51cb05d4fd632596816ba44e882e84db9fb28a7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/25837889ec062f2b7618142cd80253dff3da5343"
        },
        {
          "url": "https://git.kernel.org/stable/c/62b656e43eaeae445a39cd8021a4f47065af4389"
        }
      ],
      "title": "net: sched: act_connmark: initialize struct tc_ife to fix kernel leak",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40279",
    "datePublished": "2025-12-06T21:51:03.010Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-06T21:51:03.010Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50758 (GCVE-0-2022-50758)

Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2026-01-02 15:04

Title

staging: vt6655: fix potential memory leak

Summary

In the Linux kernel, the following vulnerability has been resolved: staging: vt6655: fix potential memory leak In function device_init_td0_ring, memory is allocated for member td_info of priv->apTD0Rings[i], with i increasing from 0. In case of allocation failure, the memory is freed in reversed order, with i decreasing to 0. However, the case i=0 is left out and thus memory is leaked. Modify the memory freeing loop to include the case i=0.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e741e38aa98704fbb…
	https://git.kernel.org/stable/c/16a45e78a687eb6c6…
	https://git.kernel.org/stable/c/1b3cebeca99e8e0aa…
	https://git.kernel.org/stable/c/ff8551d411f12b5ab…
	https://git.kernel.org/stable/c/fb5f569bcda8f87bd…
	https://git.kernel.org/stable/c/cfdf139258614ef65…
	https://git.kernel.org/stable/c/c8ff91535880d41b4…

Impacted products

Vendor

Product

Version

Linux

Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < e741e38aa98704fbb959650ecd270b71b2670680 (git)
Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < 16a45e78a687eb6c69acc4e62b94b6508b0bfbda (git)
Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < 1b3cebeca99e8e0aa4fa57faac8dbf41e967317a (git)
Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < ff8551d411f12b5abc5ca929ab87643afa8a9588 (git)
Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < fb5f569bcda8f87bd47d8030bfae343d757fa3ea (git)
Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < cfdf139258614ef65b0f68b857ada5328fb7c0e5 (git)
Affected: 5341ee0adb17d12a96dc5344e0d267cd12b52135 , < c8ff91535880d41b49699b3829fb6151942de29e (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/vt6655/device_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e741e38aa98704fbb959650ecd270b71b2670680",
              "status": "affected",
              "version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
              "versionType": "git"
            },
            {
              "lessThan": "16a45e78a687eb6c69acc4e62b94b6508b0bfbda",
              "status": "affected",
              "version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
              "versionType": "git"
            },
            {
              "lessThan": "1b3cebeca99e8e0aa4fa57faac8dbf41e967317a",
              "status": "affected",
              "version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
              "versionType": "git"
            },
            {
              "lessThan": "ff8551d411f12b5abc5ca929ab87643afa8a9588",
              "status": "affected",
              "version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
              "versionType": "git"
            },
            {
              "lessThan": "fb5f569bcda8f87bd47d8030bfae343d757fa3ea",
              "status": "affected",
              "version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
              "versionType": "git"
            },
            {
              "lessThan": "cfdf139258614ef65b0f68b857ada5328fb7c0e5",
              "status": "affected",
              "version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
              "versionType": "git"
            },
            {
              "lessThan": "c8ff91535880d41b49699b3829fb6151942de29e",
              "status": "affected",
              "version": "5341ee0adb17d12a96dc5344e0d267cd12b52135",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/vt6655/device_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vt6655: fix potential memory leak\n\nIn function device_init_td0_ring, memory is allocated for member\ntd_info of priv-\u003eapTD0Rings[i], with i increasing from 0. In case of\nallocation failure, the memory is freed in reversed order, with i\ndecreasing to 0. However, the case i=0 is left out and thus memory is\nleaked.\n\nModify the memory freeing loop to include the case i=0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:04:27.666Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e741e38aa98704fbb959650ecd270b71b2670680"
        },
        {
          "url": "https://git.kernel.org/stable/c/16a45e78a687eb6c69acc4e62b94b6508b0bfbda"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b3cebeca99e8e0aa4fa57faac8dbf41e967317a"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff8551d411f12b5abc5ca929ab87643afa8a9588"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb5f569bcda8f87bd47d8030bfae343d757fa3ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/cfdf139258614ef65b0f68b857ada5328fb7c0e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8ff91535880d41b49699b3829fb6151942de29e"
        }
      ],
      "title": "staging: vt6655: fix potential memory leak",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50758",
    "datePublished": "2025-12-24T13:05:51.159Z",
    "dateReserved": "2025-12-24T13:02:21.545Z",
    "dateUpdated": "2026-01-02T15:04:27.666Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68746 (GCVE-0-2025-68746)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-01-19 12:18

Title

spi: tegra210-quad: Fix timeout handling

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Fix timeout handling When the CPU that the QSPI interrupt handler runs on (typically CPU 0) is excessively busy, it can lead to rare cases of the IRQ thread not running before the transfer timeout is reached. While handling the timeouts, any pending transfers are cleaned up and the message that they correspond to is marked as failed, which leaves the curr_xfer field pointing at stale memory. To avoid this, clear curr_xfer to NULL upon timeout and check for this condition when the IRQ thread is finally run. While at it, also make sure to clear interrupts on failure so that new interrupts can be run. A better, more involved, fix would move the interrupt clearing into a hard IRQ handler. Ideally we would also want to signal that the IRQ thread no longer needs to be run after the timeout is hit to avoid the extra check for a valid transfer.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/88db8bb7ed1bb4746…
	https://git.kernel.org/stable/c/83309dd551cfd60a5…
	https://git.kernel.org/stable/c/c934e40246da2c572…
	https://git.kernel.org/stable/c/551060efb156c50fe…
	https://git.kernel.org/stable/c/bb0c58be84f907285…
	https://git.kernel.org/stable/c/01bbf25c767219b14…
	https://git.kernel.org/stable/c/b4e002d8a7cee3b1d…

Impacted products

Vendor

Product

Version

Linux

Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 88db8bb7ed1bb474618acdf05ebd4f0758d244e2 (git)
Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 83309dd551cfd60a5a1a98d9cab19f435b44d46d (git)
Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < c934e40246da2c5726d14e94719c514e30840df8 (git)
Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 551060efb156c50fe33799038ba8145418cfdeef (git)
Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < bb0c58be84f907285af45657c1d4847b960a12bf (git)
Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < 01bbf25c767219b14c3235bfa85906b8d2cb8fbc (git)
Affected: 921fc1838fb036f690b8ba52e6a6d3644b475cbb , < b4e002d8a7cee3b1d70efad0e222567f92a73000 (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-tegra210-quad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "88db8bb7ed1bb474618acdf05ebd4f0758d244e2",
              "status": "affected",
              "version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
              "versionType": "git"
            },
            {
              "lessThan": "83309dd551cfd60a5a1a98d9cab19f435b44d46d",
              "status": "affected",
              "version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
              "versionType": "git"
            },
            {
              "lessThan": "c934e40246da2c5726d14e94719c514e30840df8",
              "status": "affected",
              "version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
              "versionType": "git"
            },
            {
              "lessThan": "551060efb156c50fe33799038ba8145418cfdeef",
              "status": "affected",
              "version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
              "versionType": "git"
            },
            {
              "lessThan": "bb0c58be84f907285af45657c1d4847b960a12bf",
              "status": "affected",
              "version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
              "versionType": "git"
            },
            {
              "lessThan": "01bbf25c767219b14c3235bfa85906b8d2cb8fbc",
              "status": "affected",
              "version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
              "versionType": "git"
            },
            {
              "lessThan": "b4e002d8a7cee3b1d70efad0e222567f92a73000",
              "status": "affected",
              "version": "921fc1838fb036f690b8ba52e6a6d3644b475cbb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-tegra210-quad.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: tegra210-quad: Fix timeout handling\n\nWhen the CPU that the QSPI interrupt handler runs on (typically CPU 0)\nis excessively busy, it can lead to rare cases of the IRQ thread not\nrunning before the transfer timeout is reached.\n\nWhile handling the timeouts, any pending transfers are cleaned up and\nthe message that they correspond to is marked as failed, which leaves\nthe curr_xfer field pointing at stale memory.\n\nTo avoid this, clear curr_xfer to NULL upon timeout and check for this\ncondition when the IRQ thread is finally run.\n\nWhile at it, also make sure to clear interrupts on failure so that new\ninterrupts can be run.\n\nA better, more involved, fix would move the interrupt clearing into a\nhard IRQ handler. Ideally we would also want to signal that the IRQ\nthread no longer needs to be run after the timeout is hit to avoid the\nextra check for a valid transfer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:42.720Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/88db8bb7ed1bb474618acdf05ebd4f0758d244e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/83309dd551cfd60a5a1a98d9cab19f435b44d46d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c934e40246da2c5726d14e94719c514e30840df8"
        },
        {
          "url": "https://git.kernel.org/stable/c/551060efb156c50fe33799038ba8145418cfdeef"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb0c58be84f907285af45657c1d4847b960a12bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/01bbf25c767219b14c3235bfa85906b8d2cb8fbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4e002d8a7cee3b1d70efad0e222567f92a73000"
        }
      ],
      "title": "spi: tegra210-quad: Fix timeout handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68746",
    "datePublished": "2025-12-24T12:09:42.213Z",
    "dateReserved": "2025-12-24T10:30:51.031Z",
    "dateUpdated": "2026-01-19T12:18:42.720Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40246 (GCVE-0-2025-40246)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08

Title

xfs: fix out of bounds memory read error in symlink repair

Summary

In the Linux kernel, the following vulnerability has been resolved: xfs: fix out of bounds memory read error in symlink repair xfs/286 produced this report on my test fleet: ================================================================== BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110 Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184): memcpy_orig+0x54/0x110 xrep_symlink_salvage_inline+0xb3/0xf0 [xfs] xrep_symlink_salvage+0x100/0x110 [xfs] xrep_symlink+0x2e/0x80 [xfs] xrep_attempt+0x61/0x1f0 [xfs] xfs_scrub_metadata+0x34f/0x5c0 [xfs] xfs_ioc_scrubv_metadata+0x387/0x560 [xfs] xfs_file_ioctl+0xe23/0x10e0 [xfs] __x64_sys_ioctl+0x76/0xc0 do_syscall_64+0x4e/0x1e0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128 allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago): xfs_init_local_fork+0x79/0xe0 [xfs] xfs_iformat_local+0xa4/0x170 [xfs] xfs_iformat_data_fork+0x148/0x180 [xfs] xfs_inode_from_disk+0x2cd/0x480 [xfs] xfs_iget+0x450/0xd60 [xfs] xfs_bulkstat_one_int+0x6b/0x510 [xfs] xfs_bulkstat_iwalk+0x1e/0x30 [xfs] xfs_iwalk_ag_recs+0xdf/0x150 [xfs] xfs_iwalk_run_callbacks+0xb9/0x190 [xfs] xfs_iwalk_ag+0x1dc/0x2f0 [xfs] xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs] xfs_iwalk+0xa4/0xd0 [xfs] xfs_bulkstat+0xfa/0x170 [xfs] xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs] xfs_file_ioctl+0xbf2/0x10e0 [xfs] __x64_sys_ioctl+0x76/0xc0 do_syscall_64+0x4e/0x1e0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy) 3d744dd94e92690f00a04398d2bd8631dcef1954 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014 ================================================================== On further analysis, I realized that the second parameter to min() is not correct. xfs_ifork::if_bytes is the size of the xfs_ifork::if_data buffer. if_bytes can be smaller than the data fork size because: (a) the forkoff code tries to keep the data area as large as possible (b) for symbolic links, if_bytes is the ondisk file size + 1 (c) forkoff is always a multiple of 8. Case in point: for a single-byte symlink target, forkoff will be 8 but the buffer will only be 2 bytes long. In other words, the logic here is wrong and we walk off the end of the incore buffer. Fix that.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7c2d68e091584149f…
	https://git.kernel.org/stable/c/81a8685cac4bf081c…
	https://git.kernel.org/stable/c/678e1cc2f482e0985…

Impacted products

Vendor

Product

Version

Linux

Affected: 2651923d8d8db00a57665822f017fa7c76758044 , < 7c2d68e091584149fe89bcbaf9b99b3162d46ee7 (git)
Affected: 2651923d8d8db00a57665822f017fa7c76758044 , < 81a8685cac4bf081c93a7df591644f4f80240bb9 (git)
Affected: 2651923d8d8db00a57665822f017fa7c76758044 , < 678e1cc2f482e0985a0613ab4a5bf89c497e5acc (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/scrub/symlink_repair.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7c2d68e091584149fe89bcbaf9b99b3162d46ee7",
              "status": "affected",
              "version": "2651923d8d8db00a57665822f017fa7c76758044",
              "versionType": "git"
            },
            {
              "lessThan": "81a8685cac4bf081c93a7df591644f4f80240bb9",
              "status": "affected",
              "version": "2651923d8d8db00a57665822f017fa7c76758044",
              "versionType": "git"
            },
            {
              "lessThan": "678e1cc2f482e0985a0613ab4a5bf89c497e5acc",
              "status": "affected",
              "version": "2651923d8d8db00a57665822f017fa7c76758044",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/scrub/symlink_repair.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix out of bounds memory read error in symlink repair\n\nxfs/286 produced this report on my test fleet:\n\n ==================================================================\n BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110\n\n Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184):\n  memcpy_orig+0x54/0x110\n  xrep_symlink_salvage_inline+0xb3/0xf0 [xfs]\n  xrep_symlink_salvage+0x100/0x110 [xfs]\n  xrep_symlink+0x2e/0x80 [xfs]\n  xrep_attempt+0x61/0x1f0 [xfs]\n  xfs_scrub_metadata+0x34f/0x5c0 [xfs]\n  xfs_ioc_scrubv_metadata+0x387/0x560 [xfs]\n  xfs_file_ioctl+0xe23/0x10e0 [xfs]\n  __x64_sys_ioctl+0x76/0xc0\n  do_syscall_64+0x4e/0x1e0\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128\n\n allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago):\n  xfs_init_local_fork+0x79/0xe0 [xfs]\n  xfs_iformat_local+0xa4/0x170 [xfs]\n  xfs_iformat_data_fork+0x148/0x180 [xfs]\n  xfs_inode_from_disk+0x2cd/0x480 [xfs]\n  xfs_iget+0x450/0xd60 [xfs]\n  xfs_bulkstat_one_int+0x6b/0x510 [xfs]\n  xfs_bulkstat_iwalk+0x1e/0x30 [xfs]\n  xfs_iwalk_ag_recs+0xdf/0x150 [xfs]\n  xfs_iwalk_run_callbacks+0xb9/0x190 [xfs]\n  xfs_iwalk_ag+0x1dc/0x2f0 [xfs]\n  xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs]\n  xfs_iwalk+0xa4/0xd0 [xfs]\n  xfs_bulkstat+0xfa/0x170 [xfs]\n  xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs]\n  xfs_file_ioctl+0xbf2/0x10e0 [xfs]\n  __x64_sys_ioctl+0x76/0xc0\n  do_syscall_64+0x4e/0x1e0\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy)  3d744dd94e92690f00a04398d2bd8631dcef1954\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014\n ==================================================================\n\nOn further analysis, I realized that the second parameter to min() is\nnot correct.  xfs_ifork::if_bytes is the size of the xfs_ifork::if_data\nbuffer.  if_bytes can be smaller than the data fork size because:\n\n(a) the forkoff code tries to keep the data area as large as possible\n(b) for symbolic links, if_bytes is the ondisk file size + 1\n(c) forkoff is always a multiple of 8.\n\nCase in point: for a single-byte symlink target, forkoff will be\n8 but the buffer will only be 2 bytes long.\n\nIn other words, the logic here is wrong and we walk off the end of the\nincore buffer.  Fix that."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T16:08:09.751Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7c2d68e091584149fe89bcbaf9b99b3162d46ee7"
        },
        {
          "url": "https://git.kernel.org/stable/c/81a8685cac4bf081c93a7df591644f4f80240bb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/678e1cc2f482e0985a0613ab4a5bf89c497e5acc"
        }
      ],
      "title": "xfs: fix out of bounds memory read error in symlink repair",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40246",
    "datePublished": "2025-12-04T16:08:09.751Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-04T16:08:09.751Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68289 (GCVE-0-2025-68289)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

usb: gadget: f_eem: Fix memory leak in eem_unwrap

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_eem: Fix memory leak in eem_unwrap The existing code did not handle the failure case of usb_ep_queue in the command path, potentially leading to memory leaks. Improve error handling to free all allocated resources on usb_ep_queue failure. This patch continues to use goto logic for error handling, as the existing error handling is complex and not easily adaptable to auto-cleanup helpers. kmemleak results: unreferenced object 0xffffff895a512300 (size 240): backtrace: slab_post_alloc_hook+0xbc/0x3a4 kmem_cache_alloc+0x1b4/0x358 skb_clone+0x90/0xd8 eem_unwrap+0x1cc/0x36c unreferenced object 0xffffff8a157f4000 (size 256): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc kmalloc_trace+0x48/0x140 dwc3_gadget_ep_alloc_request+0x58/0x11c usb_ep_alloc_request+0x40/0xe4 eem_unwrap+0x204/0x36c unreferenced object 0xffffff8aadbaac00 (size 128): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc __kmalloc+0x64/0x1a8 eem_unwrap+0x218/0x36c unreferenced object 0xffffff89ccef3500 (size 64): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc kmalloc_trace+0x48/0x140 eem_unwrap+0x238/0x36c

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a9985a88b2fc29fbe…
	https://git.kernel.org/stable/c/5a1628283cd9dccf1…
	https://git.kernel.org/stable/c/0ac07e476944a5e4c…
	https://git.kernel.org/stable/c/41434488ca714ab15…
	https://git.kernel.org/stable/c/e72c963177c708a16…
	https://git.kernel.org/stable/c/0dea2e0069a7e9aa0…
	https://git.kernel.org/stable/c/e4f5ce990818d3793…

Impacted products

Vendor

Product

Version

Linux

Affected: 3b545788505b2e2883aff13bdddeacaf88942a4f , < a9985a88b2fc29fbe1657fe8518908e261d6889c (git)
Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 5a1628283cd9dccf1e44acfb74e77504f4dc7472 (git)
Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 0ac07e476944a5e4c2b8b087dd167dec248c1bdf (git)
Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 41434488ca714ab15cb2a4d0378418d1be8052d2 (git)
Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < e72c963177c708a167a7e17ed6c76320815157cf (git)
Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < 0dea2e0069a7e9aa034696f8065945b7be6dd6b7 (git)
Affected: 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 , < e4f5ce990818d37930cd9fb0be29eee0553c59d9 (git)
Affected: d55a236f1bab102e353ea5abb7b7b6ff7e847294 (git)
Affected: 8e275d3d5915a8f7db3786e3f84534bb48245f4c (git)
Affected: 3680a6ff9a9ccd3c664663da04bef2534397d591 (git)
Affected: d654be97e1b679616e3337b871a9ec8f31a88841 (git)
Affected: 8bdef7f21cb6e53c0ce3e1cbcb05975aa0dd0fe9 (git)
Affected: 77d7f071883cf2921a7547f82e41f15f7f860e35 (git)
Affected: a55093941e38113dd6f5f5d5d2705fec3018f332 (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_eem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a9985a88b2fc29fbe1657fe8518908e261d6889c",
              "status": "affected",
              "version": "3b545788505b2e2883aff13bdddeacaf88942a4f",
              "versionType": "git"
            },
            {
              "lessThan": "5a1628283cd9dccf1e44acfb74e77504f4dc7472",
              "status": "affected",
              "version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
              "versionType": "git"
            },
            {
              "lessThan": "0ac07e476944a5e4c2b8b087dd167dec248c1bdf",
              "status": "affected",
              "version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
              "versionType": "git"
            },
            {
              "lessThan": "41434488ca714ab15cb2a4d0378418d1be8052d2",
              "status": "affected",
              "version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
              "versionType": "git"
            },
            {
              "lessThan": "e72c963177c708a167a7e17ed6c76320815157cf",
              "status": "affected",
              "version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
              "versionType": "git"
            },
            {
              "lessThan": "0dea2e0069a7e9aa034696f8065945b7be6dd6b7",
              "status": "affected",
              "version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
              "versionType": "git"
            },
            {
              "lessThan": "e4f5ce990818d37930cd9fb0be29eee0553c59d9",
              "status": "affected",
              "version": "4249d6fbc10fd997abdf8a1ea49c0389a0edf706",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d55a236f1bab102e353ea5abb7b7b6ff7e847294",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8e275d3d5915a8f7db3786e3f84534bb48245f4c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3680a6ff9a9ccd3c664663da04bef2534397d591",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d654be97e1b679616e3337b871a9ec8f31a88841",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8bdef7f21cb6e53c0ce3e1cbcb05975aa0dd0fe9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "77d7f071883cf2921a7547f82e41f15f7f860e35",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a55093941e38113dd6f5f5d5d2705fec3018f332",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_eem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.10.50",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.276",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.276",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.240",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.198",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.132",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.12.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_eem: Fix memory leak in eem_unwrap\n\nThe existing code did not handle the failure case of usb_ep_queue in the\ncommand path, potentially leading to memory leaks.\n\nImprove error handling to free all allocated resources on usb_ep_queue\nfailure. This patch continues to use goto logic for error handling, as the\nexisting error handling is complex and not easily adaptable to auto-cleanup\nhelpers.\n\nkmemleak results:\n  unreferenced object 0xffffff895a512300 (size 240):\n    backtrace:\n      slab_post_alloc_hook+0xbc/0x3a4\n      kmem_cache_alloc+0x1b4/0x358\n      skb_clone+0x90/0xd8\n      eem_unwrap+0x1cc/0x36c\n  unreferenced object 0xffffff8a157f4000 (size 256):\n    backtrace:\n      slab_post_alloc_hook+0xbc/0x3a4\n      __kmem_cache_alloc_node+0x1b4/0x2dc\n      kmalloc_trace+0x48/0x140\n      dwc3_gadget_ep_alloc_request+0x58/0x11c\n      usb_ep_alloc_request+0x40/0xe4\n      eem_unwrap+0x204/0x36c\n  unreferenced object 0xffffff8aadbaac00 (size 128):\n    backtrace:\n      slab_post_alloc_hook+0xbc/0x3a4\n      __kmem_cache_alloc_node+0x1b4/0x2dc\n      __kmalloc+0x64/0x1a8\n      eem_unwrap+0x218/0x36c\n  unreferenced object 0xffffff89ccef3500 (size 64):\n    backtrace:\n      slab_post_alloc_hook+0xbc/0x3a4\n      __kmem_cache_alloc_node+0x1b4/0x2dc\n      kmalloc_trace+0x48/0x140\n      eem_unwrap+0x238/0x36c"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:10.450Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a9985a88b2fc29fbe1657fe8518908e261d6889c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a1628283cd9dccf1e44acfb74e77504f4dc7472"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ac07e476944a5e4c2b8b087dd167dec248c1bdf"
        },
        {
          "url": "https://git.kernel.org/stable/c/41434488ca714ab15cb2a4d0378418d1be8052d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/e72c963177c708a167a7e17ed6c76320815157cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dea2e0069a7e9aa034696f8065945b7be6dd6b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4f5ce990818d37930cd9fb0be29eee0553c59d9"
        }
      ],
      "title": "usb: gadget: f_eem: Fix memory leak in eem_unwrap",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68289",
    "datePublished": "2025-12-16T15:06:10.450Z",
    "dateReserved": "2025-12-16T14:48:05.292Z",
    "dateUpdated": "2025-12-16T15:06:10.450Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68239 (GCVE-0-2025-68239)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2025-12-16 14:21

Title

binfmt_misc: restore write access before closing files opened by open_exec()

Summary

In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e785f552ab04dbca0…
	https://git.kernel.org/stable/c/90f601b497d76f40f…

Impacted products

Vendor

Product

Version

Linux

Affected: e7850f4d844e0acfac7e570af611d89deade3146 , < e785f552ab04dbca01d31f0334f4561240b04459 (git)
Affected: e7850f4d844e0acfac7e570af611d89deade3146 , < 90f601b497d76f40fa66795c3ecf625b6aced9fd (git)
Affected: 467a50d5db7deaf656e18a1f633be9ecd94b393a (git)
Affected: 4a8b4124ea4156ca52918b66c750a69c6d932aa5 (git)
Affected: 3fe116e33a855bbfdd32dc207e9be2a41e3ed3a6 (git)
Affected: c0e0ab60d0b15469e69db93215dad009999f5a5b (git)
Affected: 5ab9464a2a3c538eedbb438f1802f2fd98d0953f (git)
Affected: d28492be82e19fc69cc69975fc2052b37ef0c821 (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/binfmt_misc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e785f552ab04dbca01d31f0334f4561240b04459",
              "status": "affected",
              "version": "e7850f4d844e0acfac7e570af611d89deade3146",
              "versionType": "git"
            },
            {
              "lessThan": "90f601b497d76f40fa66795c3ecf625b6aced9fd",
              "status": "affected",
              "version": "e7850f4d844e0acfac7e570af611d89deade3146",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "467a50d5db7deaf656e18a1f633be9ecd94b393a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4a8b4124ea4156ca52918b66c750a69c6d932aa5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3fe116e33a855bbfdd32dc207e9be2a41e3ed3a6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c0e0ab60d0b15469e69db93215dad009999f5a5b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5ab9464a2a3c538eedbb438f1802f2fd98d0953f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d28492be82e19fc69cc69975fc2052b37ef0c821",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/binfmt_misc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.262",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.226",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.181",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.106",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.11.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_misc: restore write access before closing files opened by open_exec()\n\nbm_register_write() opens an executable file using open_exec(), which\ninternally calls do_open_execat() and denies write access on the file to\navoid modification while it is being executed.\n\nHowever, when an error occurs, bm_register_write() closes the file using\nfilp_close() directly. This does not restore the write permission, which\nmay cause subsequent write operations on the same file to fail.\n\nFix this by calling exe_file_allow_write_access() before filp_close() to\nrestore the write permission properly."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T14:21:16.889Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e785f552ab04dbca01d31f0334f4561240b04459"
        },
        {
          "url": "https://git.kernel.org/stable/c/90f601b497d76f40fa66795c3ecf625b6aced9fd"
        }
      ],
      "title": "binfmt_misc: restore write access before closing files opened by open_exec()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68239",
    "datePublished": "2025-12-16T14:21:16.889Z",
    "dateReserved": "2025-12-16T13:41:40.263Z",
    "dateUpdated": "2025-12-16T14:21:16.889Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68736 (GCVE-0-2025-68736)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2025-12-24 12:09

Title

landlock: Fix handling of disconnected directories

Summary

In the Linux kernel, the following vulnerability has been resolved: landlock: Fix handling of disconnected directories Disconnected files or directories can appear when they are visible and opened from a bind mount, but have been renamed or moved from the source of the bind mount in a way that makes them inaccessible from the mount point (i.e. out of scope). Previously, access rights tied to files or directories opened through a disconnected directory were collected by walking the related hierarchy down to the root of the filesystem, without taking into account the mount point because it couldn't be found. This could lead to inconsistent access results, potential access right widening, and hard-to-debug renames, especially since such paths cannot be printed. For a sandboxed task to create a disconnected directory, it needs to have write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to the underlying source of the bind mount, and read access to the related mount point. Because a sandboxed task cannot acquire more access rights than those defined by its Landlock domain, this could lead to inconsistent access rights due to missing permissions that should be inherited from the mount point hierarchy, while inheriting permissions from the filesystem hierarchy hidden by this mount point instead. Landlock now handles files and directories opened from disconnected directories by taking into account the filesystem hierarchy when the mount point is not found in the hierarchy walk, and also always taking into account the mount point from which these disconnected directories were opened. This ensures that a rename is not allowed if it would widen access rights [1]. The rationale is that, even if disconnected hierarchies might not be visible or accessible to a sandboxed task, relying on the collected access rights from them improves the guarantee that access rights will not be widened during a rename because of the access right comparison between the source and the destination (see LANDLOCK_ACCESS_FS_REFER). It may look like this would grant more access on disconnected files and directories, but the security policies are always enforced for all the evaluated hierarchies. This new behavior should be less surprising to users and safer from an access control perspective. Remove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and fix the related comment. Because opened files have their access rights stored in the related file security properties, there is no impact for disconnected or unlinked files.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cadb28f8b3fd6908e…
	https://git.kernel.org/stable/c/49c9e09d961025b22…

Impacted products

Vendor

Product

Version

Linux

Affected: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d , < cadb28f8b3fd6908e3051e86158c65c3a8e1c907 (git)
Affected: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d , < 49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1 (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/landlock/errata/abi-1.h",
            "security/landlock/fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cadb28f8b3fd6908e3051e86158c65c3a8e1c907",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            },
            {
              "lessThan": "49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/landlock/errata/abi-1.h",
            "security/landlock/fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Fix handling of disconnected directories\n\nDisconnected files or directories can appear when they are visible and\nopened from a bind mount, but have been renamed or moved from the source\nof the bind mount in a way that makes them inaccessible from the mount\npoint (i.e. out of scope).\n\nPreviously, access rights tied to files or directories opened through a\ndisconnected directory were collected by walking the related hierarchy\ndown to the root of the filesystem, without taking into account the\nmount point because it couldn\u0027t be found. This could lead to\ninconsistent access results, potential access right widening, and\nhard-to-debug renames, especially since such paths cannot be printed.\n\nFor a sandboxed task to create a disconnected directory, it needs to\nhave write access (i.e. FS_MAKE_REG, FS_REMOVE_FILE, and FS_REFER) to\nthe underlying source of the bind mount, and read access to the related\nmount point.   Because a sandboxed task cannot acquire more access\nrights than those defined by its Landlock domain, this could lead to\ninconsistent access rights due to missing permissions that should be\ninherited from the mount point hierarchy, while inheriting permissions\nfrom the filesystem hierarchy hidden by this mount point instead.\n\nLandlock now handles files and directories opened from disconnected\ndirectories by taking into account the filesystem hierarchy when the\nmount point is not found in the hierarchy walk, and also always taking\ninto account the mount point from which these disconnected directories\nwere opened.  This ensures that a rename is not allowed if it would\nwiden access rights [1].\n\nThe rationale is that, even if disconnected hierarchies might not be\nvisible or accessible to a sandboxed task, relying on the collected\naccess rights from them improves the guarantee that access rights will\nnot be widened during a rename because of the access right comparison\nbetween the source and the destination (see LANDLOCK_ACCESS_FS_REFER).\nIt may look like this would grant more access on disconnected files and\ndirectories, but the security policies are always enforced for all the\nevaluated hierarchies.  This new behavior should be less surprising to\nusers and safer from an access control perspective.\n\nRemove a wrong WARN_ON_ONCE() canary in collect_domain_accesses() and\nfix the related comment.\n\nBecause opened files have their access rights stored in the related file\nsecurity properties, there is no impact for disconnected or unlinked\nfiles."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:09:35.081Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cadb28f8b3fd6908e3051e86158c65c3a8e1c907"
        },
        {
          "url": "https://git.kernel.org/stable/c/49c9e09d961025b22e61ef9ad56aa1c21b6ce2f1"
        }
      ],
      "title": "landlock: Fix handling of disconnected directories",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68736",
    "datePublished": "2025-12-24T12:09:35.081Z",
    "dateReserved": "2025-12-24T10:30:51.029Z",
    "dateUpdated": "2025-12-24T12:09:35.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40310 (GCVE-0-2025-40310)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-26 16:17

Title

amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw

Summary

In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 <fO> OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 </IRQ> common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/93f8d67ef8b50334a…
	https://git.kernel.org/stable/c/bc9e789053abe463f…
	https://git.kernel.org/stable/c/2f89a2d15550b653c…
	https://git.kernel.org/stable/c/99d7181bca34e96fb…

Impacted products

Vendor

Product

Version

Linux

Affected: 74c5b85da75475c73a8f040397610fbfcc2c3e78 , < 93f8d67ef8b50334a26129df4da5a4cb60ad4090 (git)
Affected: 74c5b85da75475c73a8f040397610fbfcc2c3e78 , < bc9e789053abe463f8cf74eee5fc2f157c11a79f (git)
Affected: 74c5b85da75475c73a8f040397610fbfcc2c3e78 , < 2f89a2d15550b653caaeeab7ab68c4d7583fd4fe (git)
Affected: 74c5b85da75475c73a8f040397610fbfcc2c3e78 , < 99d7181bca34e96fbf61bdb6844918bdd4df2814 (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "93f8d67ef8b50334a26129df4da5a4cb60ad4090",
              "status": "affected",
              "version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
              "versionType": "git"
            },
            {
              "lessThan": "bc9e789053abe463f8cf74eee5fc2f157c11a79f",
              "status": "affected",
              "version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
              "versionType": "git"
            },
            {
              "lessThan": "2f89a2d15550b653caaeeab7ab68c4d7583fd4fe",
              "status": "affected",
              "version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
              "versionType": "git"
            },
            {
              "lessThan": "99d7181bca34e96fbf61bdb6844918bdd4df2814",
              "status": "affected",
              "version": "74c5b85da75475c73a8f040397610fbfcc2c3e78",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw\n\nThere is race in amdgpu_amdkfd_device_fini_sw and interrupt.\nif amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and\n  kfree(kfd), and KGD interrupt generated.\n\nkernel panic log:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000098\namdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP\n\nPGD d78c68067 P4D d78c68067\n\nkfd kfd: amdgpu: Allocated 3969056 bytes on gart\n\nPUD 1465b8067 PMD @\n\nOops: @002 [#1] SMP NOPTI\n\nkfd kfd: amdgpu: Total number of KFD nodes to be created: 4\nCPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K\n\nRIP: 0010:_raw_spin_lock_irqsave+0x12/0x40\n\nCode: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 \u003cfO\u003e OF b1 17 75 Ba 4c 89 e@ 41 Sc\n\n89 c6 e8 07 38 5d\n\nRSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046\n\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018\n0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098\nffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020\n0000000000000000 R11: 0000000000000000 R12: 0900000000000002\nffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00\n\nCS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033\n\nCR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0\n0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400\n\nPKRU: 55555554\n\nCall Trace:\n\n\u003cIRQ\u003e\n\nkgd2kfd_interrupt+@x6b/0x1f@ [amdgpu]\n\n? amdgpu_fence_process+0xa4/0x150 [amdgpu]\n\nkfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace\n\namdgpu_irq_dispatch+0x165/0x210 [amdgpu]\n\namdgpu_ih_process+0x80/0x100 [amdgpu]\n\namdgpu: Virtual CRAT table created for GPU\n\namdgpu_irq_handler+0x1f/@x60 [amdgpu]\n\n__handle_irq_event_percpu+0x3d/0x170\n\namdgpu: Topology: Add dGPU node [0x74a2:0x1002]\n\nhandle_irq_event+0x5a/@xcO\n\nhandle_edge_irq+0x93/0x240\n\nkfd kfd: amdgpu: KFD node 1 partition @ size 49148M\n\nasm_call_irq_on_stack+0xf/@x20\n\n\u003c/IRQ\u003e\n\ncommon_interrupt+0xb3/0x130\n\nasm_common_interrupt+0x1le/0x40\n\n5.10.134-010.a1i5000.a18.x86_64 #1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-26T16:17:48.005Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/93f8d67ef8b50334a26129df4da5a4cb60ad4090"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc9e789053abe463f8cf74eee5fc2f157c11a79f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f89a2d15550b653caaeeab7ab68c4d7583fd4fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/99d7181bca34e96fbf61bdb6844918bdd4df2814"
        }
      ],
      "title": "amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40310",
    "datePublished": "2025-12-08T00:46:35.862Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2026-01-26T16:17:48.005Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40332 (GCVE-0-2025-40332)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-26 16:17

Title

drm/amdkfd: Fix mmap write lock not release

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix mmap write lock not release If mmap write lock is taken while draining retry fault, mmap write lock is not released because svm_range_restore_pages calls mmap_read_unlock then returns. This causes deadlock and system hangs later because mmap read or write lock cannot be taken. Downgrade mmap write lock to read lock if draining retry fault fix this bug.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e2105ba1c262dcaa9…
	https://git.kernel.org/stable/c/f7569ef1cf978aa87…
	https://git.kernel.org/stable/c/7574f30337e19045f…

Impacted products

Vendor

Product

Version

Linux

Affected: e64be12f8401819662e608efa247638b61d023cd , < e2105ba1c262dcaa9573f11844b6e1e1ca762c3f (git)
Affected: f844732e3ad9c4b78df7436232949b8d2096d1a6 , < f7569ef1cf978aa87aa81b5e9bf40a77497f3685 (git)
Affected: f844732e3ad9c4b78df7436232949b8d2096d1a6 , < 7574f30337e19045f03126b4c51f525b84e5049e (git)
Affected: 177660d7ecb34298dab5f0d1efc7e8b02f934551 (git)
Affected: 5a3c09bd25cc0a55ec9c048710d379fa2c84b4e7 (git)

Linux

Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e2105ba1c262dcaa9573f11844b6e1e1ca762c3f",
              "status": "affected",
              "version": "e64be12f8401819662e608efa247638b61d023cd",
              "versionType": "git"
            },
            {
              "lessThan": "f7569ef1cf978aa87aa81b5e9bf40a77497f3685",
              "status": "affected",
              "version": "f844732e3ad9c4b78df7436232949b8d2096d1a6",
              "versionType": "git"
            },
            {
              "lessThan": "7574f30337e19045f03126b4c51f525b84e5049e",
              "status": "affected",
              "version": "f844732e3ad9c4b78df7436232949b8d2096d1a6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "177660d7ecb34298dab5f0d1efc7e8b02f934551",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5a3c09bd25cc0a55ec9c048710d379fa2c84b4e7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.12.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.14.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix mmap write lock not release\n\nIf mmap write lock is taken while draining retry fault, mmap write lock\nis not released because svm_range_restore_pages calls mmap_read_unlock\nthen returns. This causes deadlock and system hangs later because mmap\nread or write lock cannot be taken.\n\nDowngrade mmap write lock to read lock if draining retry fault fix this\nbug."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-26T16:17:49.499Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e2105ba1c262dcaa9573f11844b6e1e1ca762c3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7569ef1cf978aa87aa81b5e9bf40a77497f3685"
        },
        {
          "url": "https://git.kernel.org/stable/c/7574f30337e19045f03126b4c51f525b84e5049e"
        }
      ],
      "title": "drm/amdkfd: Fix mmap write lock not release",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40332",
    "datePublished": "2025-12-09T04:09:49.164Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2026-01-26T16:17:49.499Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40331 (GCVE-0-2025-40331)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09

Title

sctp: Prevent TOCTOU out-of-bounds write

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use).

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b106a68df0650b694…
	https://git.kernel.org/stable/c/3006959371007fc2e…
	https://git.kernel.org/stable/c/72e3fea68eac8d088…
	https://git.kernel.org/stable/c/584307275b2048991…
	https://git.kernel.org/stable/c/c9119f243d9c0da3c…
	https://git.kernel.org/stable/c/2fe08fcaacb7eb019…
	https://git.kernel.org/stable/c/89eac1e150dbd4296…
	https://git.kernel.org/stable/c/95aef86ab231f047b…

Impacted products

Vendor

Product

Version

Linux

Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < b106a68df0650b694b254427cd9250c04500edd3 (git)
Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 3006959371007fc2eae4a078f823c680fa52de1a (git)
Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 72e3fea68eac8d088e44c3dd954e843478e9240e (git)
Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 584307275b2048991b2e8984962189b6cc0a9b85 (git)
Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < c9119f243d9c0da3c3b5f577a328de3e7ffd1b42 (git)
Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 2fe08fcaacb7eb019fa9c81db39b2214de216677 (git)
Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 89eac1e150dbd42963e13d23828cb8c4e0763196 (git)
Affected: 8f840e47f190cbe61a96945c13e9551048d42cef , < 95aef86ab231f047bb8085c70666059b58f53c09 (git)

Linux

Affected: 4.7
Unaffected: 0 , < 4.7 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/diag.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b106a68df0650b694b254427cd9250c04500edd3",
              "status": "affected",
              "version": "8f840e47f190cbe61a96945c13e9551048d42cef",
              "versionType": "git"
            },
            {
              "lessThan": "3006959371007fc2eae4a078f823c680fa52de1a",
              "status": "affected",
              "version": "8f840e47f190cbe61a96945c13e9551048d42cef",
              "versionType": "git"
            },
            {
              "lessThan": "72e3fea68eac8d088e44c3dd954e843478e9240e",
              "status": "affected",
              "version": "8f840e47f190cbe61a96945c13e9551048d42cef",
              "versionType": "git"
            },
            {
              "lessThan": "584307275b2048991b2e8984962189b6cc0a9b85",
              "status": "affected",
              "version": "8f840e47f190cbe61a96945c13e9551048d42cef",
              "versionType": "git"
            },
            {
              "lessThan": "c9119f243d9c0da3c3b5f577a328de3e7ffd1b42",
              "status": "affected",
              "version": "8f840e47f190cbe61a96945c13e9551048d42cef",
              "versionType": "git"
            },
            {
              "lessThan": "2fe08fcaacb7eb019fa9c81db39b2214de216677",
              "status": "affected",
              "version": "8f840e47f190cbe61a96945c13e9551048d42cef",
              "versionType": "git"
            },
            {
              "lessThan": "89eac1e150dbd42963e13d23828cb8c4e0763196",
              "status": "affected",
              "version": "8f840e47f190cbe61a96945c13e9551048d42cef",
              "versionType": "git"
            },
            {
              "lessThan": "95aef86ab231f047bb8085c70666059b58f53c09",
              "status": "affected",
              "version": "8f840e47f190cbe61a96945c13e9551048d42cef",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/diag.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.7"
            },
            {
              "lessThan": "4.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Prevent TOCTOU out-of-bounds write\n\nFor the following path not holding the sock lock,\n\n  sctp_diag_dump() -\u003e sctp_for_each_endpoint() -\u003e sctp_ep_dump()\n\nmake sure not to exceed bounds in case the address list has grown\nbetween buffer allocation (time-of-check) and write (time-of-use)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T04:09:48.196Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b106a68df0650b694b254427cd9250c04500edd3"
        },
        {
          "url": "https://git.kernel.org/stable/c/3006959371007fc2eae4a078f823c680fa52de1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/72e3fea68eac8d088e44c3dd954e843478e9240e"
        },
        {
          "url": "https://git.kernel.org/stable/c/584307275b2048991b2e8984962189b6cc0a9b85"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9119f243d9c0da3c3b5f577a328de3e7ffd1b42"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fe08fcaacb7eb019fa9c81db39b2214de216677"
        },
        {
          "url": "https://git.kernel.org/stable/c/89eac1e150dbd42963e13d23828cb8c4e0763196"
        },
        {
          "url": "https://git.kernel.org/stable/c/95aef86ab231f047bb8085c70666059b58f53c09"
        }
      ],
      "title": "sctp: Prevent TOCTOU out-of-bounds write",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40331",
    "datePublished": "2025-12-09T04:09:48.196Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2025-12-09T04:09:48.196Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40221 (GCVE-0-2025-40221)

Vulnerability from cvelistv5 – Published: 2025-12-04 14:50 – Updated: 2025-12-04 14:50

Title

media: pci: mg4b: fix uninitialized iio scan data

Summary

In the Linux kernel, the following vulnerability has been resolved: media: pci: mg4b: fix uninitialized iio scan data Fix potential leak of uninitialized stack data to userspace by ensuring that the `scan` structure is zeroed before use.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b7f82da7f86479cb6…
	https://git.kernel.org/stable/c/b792eba44494b4e6a…
	https://git.kernel.org/stable/c/c0d3f6969bb4d7247…

Impacted products

Vendor

Product

Version

Linux

Affected: 0ab13674a9bd10514486cf1670d71dbd8afec421 , < b7f82da7f86479cb6479a76ebe213ece7c77398f (git)
Affected: 0ab13674a9bd10514486cf1670d71dbd8afec421 , < b792eba44494b4e6ab5006013335f9819f303b8b (git)
Affected: 0ab13674a9bd10514486cf1670d71dbd8afec421 , < c0d3f6969bb4d72476cfe7ea9263831f1c283704 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/pci/mgb4/mgb4_trigger.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b7f82da7f86479cb6479a76ebe213ece7c77398f",
              "status": "affected",
              "version": "0ab13674a9bd10514486cf1670d71dbd8afec421",
              "versionType": "git"
            },
            {
              "lessThan": "b792eba44494b4e6ab5006013335f9819f303b8b",
              "status": "affected",
              "version": "0ab13674a9bd10514486cf1670d71dbd8afec421",
              "versionType": "git"
            },
            {
              "lessThan": "c0d3f6969bb4d72476cfe7ea9263831f1c283704",
              "status": "affected",
              "version": "0ab13674a9bd10514486cf1670d71dbd8afec421",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/pci/mgb4/mgb4_trigger.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pci: mg4b: fix uninitialized iio scan data\n\nFix potential leak of uninitialized stack data to userspace by ensuring\nthat the `scan` structure is zeroed before use."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T14:50:45.439Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b7f82da7f86479cb6479a76ebe213ece7c77398f"
        },
        {
          "url": "https://git.kernel.org/stable/c/b792eba44494b4e6ab5006013335f9819f303b8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0d3f6969bb4d72476cfe7ea9263831f1c283704"
        }
      ],
      "title": "media: pci: mg4b: fix uninitialized iio scan data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40221",
    "datePublished": "2025-12-04T14:50:45.439Z",
    "dateReserved": "2025-04-16T07:20:57.180Z",
    "dateUpdated": "2025-12-04T14:50:45.439Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68330 (GCVE-0-2025-68330)

Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2026-01-02 15:35

Title

iio: accel: bmc150: Fix irq assumption regression

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: accel: bmc150: Fix irq assumption regression The code in bmc150-accel-core.c unconditionally calls bmc150_accel_set_interrupt() in the iio_buffer_setup_ops, such as on the runtime PM resume path giving a kernel splat like this if the device has no interrupts: Unable to handle kernel NULL pointer dereference at virtual address 00000001 when read PC is at bmc150_accel_set_interrupt+0x98/0x194 LR is at __pm_runtime_resume+0x5c/0x64 (...) Call trace: bmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108 bmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc __iio_update_buffers from enable_store+0x84/0xc8 enable_store from kernfs_fop_write_iter+0x154/0x1b4 This bug seems to have been in the driver since the beginning, but it only manifests recently, I do not know why. Store the IRQ number in the state struct, as this is a common pattern in other drivers, then use this to determine if we have IRQ support or not.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/aad9d048a3211c48e…
	https://git.kernel.org/stable/c/c891f504bb66604c8…
	https://git.kernel.org/stable/c/cdd4a9e98004bd7c7…
	https://git.kernel.org/stable/c/65ad4ed983fd9ee02…
	https://git.kernel.org/stable/c/93eaa5ddc5fc4f50a…
	https://git.kernel.org/stable/c/3aa385a9c75c09b59…

Impacted products

Vendor

Product

Version

Linux

Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < aad9d048a3211c48ec02efa405bf462856feb862 (git)
Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < c891f504bb66604c822e7985e093cf39b97fdeb0 (git)
Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < cdd4a9e98004bd7c7488311951fa6dbae38b2b80 (git)
Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < 65ad4ed983fd9ee0259d86391d6a53f78203918c (git)
Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < 93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3 (git)
Affected: c16bff4844ffa678ba0c9d077e9797506924ccdd , < 3aa385a9c75c09b59dcab2ff76423439d23673ab (git)

Linux

Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/accel/bmc150-accel-core.c",
            "drivers/iio/accel/bmc150-accel.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "aad9d048a3211c48ec02efa405bf462856feb862",
              "status": "affected",
              "version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
              "versionType": "git"
            },
            {
              "lessThan": "c891f504bb66604c822e7985e093cf39b97fdeb0",
              "status": "affected",
              "version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
              "versionType": "git"
            },
            {
              "lessThan": "cdd4a9e98004bd7c7488311951fa6dbae38b2b80",
              "status": "affected",
              "version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
              "versionType": "git"
            },
            {
              "lessThan": "65ad4ed983fd9ee0259d86391d6a53f78203918c",
              "status": "affected",
              "version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
              "versionType": "git"
            },
            {
              "lessThan": "93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3",
              "status": "affected",
              "version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
              "versionType": "git"
            },
            {
              "lessThan": "3aa385a9c75c09b59dcab2ff76423439d23673ab",
              "status": "affected",
              "version": "c16bff4844ffa678ba0c9d077e9797506924ccdd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/accel/bmc150-accel-core.c",
            "drivers/iio/accel/bmc150-accel.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: accel: bmc150: Fix irq assumption regression\n\nThe code in bmc150-accel-core.c unconditionally calls\nbmc150_accel_set_interrupt() in the iio_buffer_setup_ops,\nsuch as on the runtime PM resume path giving a kernel\nsplat like this if the device has no interrupts:\n\nUnable to handle kernel NULL pointer dereference at virtual\n  address 00000001 when read\n\nPC is at bmc150_accel_set_interrupt+0x98/0x194\nLR is at __pm_runtime_resume+0x5c/0x64\n(...)\nCall trace:\nbmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108\nbmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc\n__iio_update_buffers from enable_store+0x84/0xc8\nenable_store from kernfs_fop_write_iter+0x154/0x1b4\n\nThis bug seems to have been in the driver since the beginning,\nbut it only manifests recently, I do not know why.\n\nStore the IRQ number in the state struct, as this is a common\npattern in other drivers, then use this to determine if we have\nIRQ support or not."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:35:09.465Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/aad9d048a3211c48ec02efa405bf462856feb862"
        },
        {
          "url": "https://git.kernel.org/stable/c/c891f504bb66604c822e7985e093cf39b97fdeb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdd4a9e98004bd7c7488311951fa6dbae38b2b80"
        },
        {
          "url": "https://git.kernel.org/stable/c/65ad4ed983fd9ee0259d86391d6a53f78203918c"
        },
        {
          "url": "https://git.kernel.org/stable/c/93eaa5ddc5fc4f50ac396afad8ce261102ebd4f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/3aa385a9c75c09b59dcab2ff76423439d23673ab"
        }
      ],
      "title": "iio: accel: bmc150: Fix irq assumption regression",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68330",
    "datePublished": "2025-12-22T16:12:23.864Z",
    "dateReserved": "2025-12-16T14:48:05.296Z",
    "dateUpdated": "2026-01-02T15:35:09.465Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68257 (GCVE-0-2025-68257)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:44 – Updated: 2026-01-19 12:18

Title

comedi: check device's attached status in compat ioctls

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: check device's attached status in compat ioctls Syzbot identified an issue [1] that crashes kernel, seemingly due to unexistent callback dev->get_valid_routes(). By all means, this should not occur as said callback must always be set to get_zero_valid_routes() in __comedi_device_postconfig(). As the crash seems to appear exclusively in i386 kernels, at least, judging from [1] reports, the blame lies with compat versions of standard IOCTL handlers. Several of them are modified and do not use comedi_unlocked_ioctl(). While functionality of these ioctls essentially copy their original versions, they do not have required sanity check for device's attached status. This, in turn, leads to a possibility of calling select IOCTLs on a device that has not been properly setup, even via COMEDI_DEVCONFIG. Doing so on unconfigured devices means that several crucial steps are missed, for instance, specifying dev->get_valid_routes() callback. Fix this somewhat crudely by ensuring device's attached status before performing any ioctls, improving logic consistency between modern and compat functions. [1] Syzbot report: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0 Call Trace: <TASK> get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline] parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401 do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594 compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline] comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273 __do_compat_sys_ioctl fs/ioctl.c:695 [inline] __se_compat_sys_ioctl fs/ioctl.c:638 [inline] __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] ...

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4836ba483a22ebd07…
	https://git.kernel.org/stable/c/7141915bf0c41cb57…
	https://git.kernel.org/stable/c/f13895c03620933a5…
	https://git.kernel.org/stable/c/b975f91de5f8f63cf…
	https://git.kernel.org/stable/c/f6e629dfe6f590091…
	https://git.kernel.org/stable/c/573b07d2e3d473ee7…
	https://git.kernel.org/stable/c/aac80e912de306815…
	https://git.kernel.org/stable/c/0de7d9cd07a2671fa…

Impacted products

Vendor

Product

Version

Linux

Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 4836ba483a22ebd076c8faaf8293a7295fad4142 (git)
Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 7141915bf0c41cb57d83cdbaf695b8c731b16b71 (git)
Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < f13895c03620933a58907e3250016f087e39b78c (git)
Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < b975f91de5f8f63cf490f0393775cc795f8b0557 (git)
Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < f6e629dfe6f590091c662a87c9fcf118b1c1c7dc (git)
Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 573b07d2e3d473ee7eb625ef87519922cf01168d (git)
Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < aac80e912de306815297a3b74f0426873ffa7dc3 (git)
Affected: 3fbfd2223a271426509830e6340c386a1054cfad , < 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.62 , ≤ 6.12.* (semver)
Unaffected: 6.17.12 , ≤ 6.17.* (semver)
Unaffected: 6.18.1 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/comedi_fops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4836ba483a22ebd076c8faaf8293a7295fad4142",
              "status": "affected",
              "version": "3fbfd2223a271426509830e6340c386a1054cfad",
              "versionType": "git"
            },
            {
              "lessThan": "7141915bf0c41cb57d83cdbaf695b8c731b16b71",
              "status": "affected",
              "version": "3fbfd2223a271426509830e6340c386a1054cfad",
              "versionType": "git"
            },
            {
              "lessThan": "f13895c03620933a58907e3250016f087e39b78c",
              "status": "affected",
              "version": "3fbfd2223a271426509830e6340c386a1054cfad",
              "versionType": "git"
            },
            {
              "lessThan": "b975f91de5f8f63cf490f0393775cc795f8b0557",
              "status": "affected",
              "version": "3fbfd2223a271426509830e6340c386a1054cfad",
              "versionType": "git"
            },
            {
              "lessThan": "f6e629dfe6f590091c662a87c9fcf118b1c1c7dc",
              "status": "affected",
              "version": "3fbfd2223a271426509830e6340c386a1054cfad",
              "versionType": "git"
            },
            {
              "lessThan": "573b07d2e3d473ee7eb625ef87519922cf01168d",
              "status": "affected",
              "version": "3fbfd2223a271426509830e6340c386a1054cfad",
              "versionType": "git"
            },
            {
              "lessThan": "aac80e912de306815297a3b74f0426873ffa7dc3",
              "status": "affected",
              "version": "3fbfd2223a271426509830e6340c386a1054cfad",
              "versionType": "git"
            },
            {
              "lessThan": "0de7d9cd07a2671fa6089173bccc0b2afe6b93ee",
              "status": "affected",
              "version": "3fbfd2223a271426509830e6340c386a1054cfad",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/comedi_fops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.62",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.62",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.12",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.1",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: check device\u0027s attached status in compat ioctls\n\nSyzbot identified an issue [1] that crashes kernel, seemingly due to\nunexistent callback dev-\u003eget_valid_routes(). By all means, this should\nnot occur as said callback must always be set to\nget_zero_valid_routes() in __comedi_device_postconfig().\n\nAs the crash seems to appear exclusively in i386 kernels, at least,\njudging from [1] reports, the blame lies with compat versions\nof standard IOCTL handlers. Several of them are modified and\ndo not use comedi_unlocked_ioctl(). While functionality of these\nioctls essentially copy their original versions, they do not\nhave required sanity check for device\u0027s attached status. This,\nin turn, leads to a possibility of calling select IOCTLs on a\ndevice that has not been properly setup, even via COMEDI_DEVCONFIG.\n\nDoing so on unconfigured devices means that several crucial steps\nare missed, for instance, specifying dev-\u003eget_valid_routes()\ncallback.\n\nFix this somewhat crudely by ensuring device\u0027s attached status before\nperforming any ioctls, improving logic consistency between modern\nand compat functions.\n\n[1] Syzbot report:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n...\nCR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0\nCall Trace:\n \u003cTASK\u003e\n get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]\n parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401\n do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594\n compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]\n comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273\n __do_compat_sys_ioctl fs/ioctl.c:695 [inline]\n __se_compat_sys_ioctl fs/ioctl.c:638 [inline]\n __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638\n do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:10.447Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4836ba483a22ebd076c8faaf8293a7295fad4142"
        },
        {
          "url": "https://git.kernel.org/stable/c/7141915bf0c41cb57d83cdbaf695b8c731b16b71"
        },
        {
          "url": "https://git.kernel.org/stable/c/f13895c03620933a58907e3250016f087e39b78c"
        },
        {
          "url": "https://git.kernel.org/stable/c/b975f91de5f8f63cf490f0393775cc795f8b0557"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6e629dfe6f590091c662a87c9fcf118b1c1c7dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/573b07d2e3d473ee7eb625ef87519922cf01168d"
        },
        {
          "url": "https://git.kernel.org/stable/c/aac80e912de306815297a3b74f0426873ffa7dc3"
        },
        {
          "url": "https://git.kernel.org/stable/c/0de7d9cd07a2671fa6089173bccc0b2afe6b93ee"
        }
      ],
      "title": "comedi: check device\u0027s attached status in compat ioctls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68257",
    "datePublished": "2025-12-16T14:44:59.535Z",
    "dateReserved": "2025-12-16T13:41:40.267Z",
    "dateUpdated": "2026-01-19T12:18:10.447Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40264 (GCVE-0-2025-40264)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:39

Title

be2net: pass wrb_params in case of OS2BMC

Summary

In the Linux kernel, the following vulnerability has been resolved: be2net: pass wrb_params in case of OS2BMC be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL pointer when processing a workaround for specific packet, as commit bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6 packet") states. The correct way would be to pass the wrb_params from be_xmit().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/48d59b60dd5d7e4c4…
	https://git.kernel.org/stable/c/f499dfa5c98e92e72…
	https://git.kernel.org/stable/c/630360c6724e27f1a…
	https://git.kernel.org/stable/c/012ee5882b1830db4…
	https://git.kernel.org/stable/c/ce0a3699244aca3ac…
	https://git.kernel.org/stable/c/1ecd86ec6efddb59a…
	https://git.kernel.org/stable/c/4c4741f6e7f2fa4e1…
	https://git.kernel.org/stable/c/7d277a7a58578dd62…

Impacted products

Vendor

Product

Version

Linux

Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < 48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe (git)
Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < f499dfa5c98e92e72dd454eb95a1000a448f3405 (git)
Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < 630360c6724e27f1aa494ba3fffe1e38c4205284 (git)
Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < 012ee5882b1830db469194466a210768ed207388 (git)
Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < ce0a3699244aca3acb659f143c9cb1327b210f89 (git)
Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < 1ecd86ec6efddb59a10c927e8e679f183bb9113e (git)
Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < 4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d (git)
Affected: 760c295e0e8d982917d004c9095cff61c0cbd803 , < 7d277a7a58578dd62fd546ddaef459ec24ccae36 (git)

Linux

Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/emulex/benet/be_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe",
              "status": "affected",
              "version": "760c295e0e8d982917d004c9095cff61c0cbd803",
              "versionType": "git"
            },
            {
              "lessThan": "f499dfa5c98e92e72dd454eb95a1000a448f3405",
              "status": "affected",
              "version": "760c295e0e8d982917d004c9095cff61c0cbd803",
              "versionType": "git"
            },
            {
              "lessThan": "630360c6724e27f1aa494ba3fffe1e38c4205284",
              "status": "affected",
              "version": "760c295e0e8d982917d004c9095cff61c0cbd803",
              "versionType": "git"
            },
            {
              "lessThan": "012ee5882b1830db469194466a210768ed207388",
              "status": "affected",
              "version": "760c295e0e8d982917d004c9095cff61c0cbd803",
              "versionType": "git"
            },
            {
              "lessThan": "ce0a3699244aca3acb659f143c9cb1327b210f89",
              "status": "affected",
              "version": "760c295e0e8d982917d004c9095cff61c0cbd803",
              "versionType": "git"
            },
            {
              "lessThan": "1ecd86ec6efddb59a10c927e8e679f183bb9113e",
              "status": "affected",
              "version": "760c295e0e8d982917d004c9095cff61c0cbd803",
              "versionType": "git"
            },
            {
              "lessThan": "4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d",
              "status": "affected",
              "version": "760c295e0e8d982917d004c9095cff61c0cbd803",
              "versionType": "git"
            },
            {
              "lessThan": "7d277a7a58578dd62fd546ddaef459ec24ccae36",
              "status": "affected",
              "version": "760c295e0e8d982917d004c9095cff61c0cbd803",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/emulex/benet/be_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbe2net: pass wrb_params in case of OS2BMC\n\nbe_insert_vlan_in_pkt() is called with the wrb_params argument being NULL\nat be_send_pkt_to_bmc() call site.\u00a0 This may lead to dereferencing a NULL\npointer when processing a workaround for specific packet, as commit\nbc0c3405abbb (\"be2net: fix a Tx stall bug caused by a specific ipv6\npacket\") states.\n\nThe correct way would be to pass the wrb_params from be_xmit()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:39:07.176Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/48d59b60dd5d7e4c48c077a2008c9dcd7b59bdfe"
        },
        {
          "url": "https://git.kernel.org/stable/c/f499dfa5c98e92e72dd454eb95a1000a448f3405"
        },
        {
          "url": "https://git.kernel.org/stable/c/630360c6724e27f1aa494ba3fffe1e38c4205284"
        },
        {
          "url": "https://git.kernel.org/stable/c/012ee5882b1830db469194466a210768ed207388"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce0a3699244aca3acb659f143c9cb1327b210f89"
        },
        {
          "url": "https://git.kernel.org/stable/c/1ecd86ec6efddb59a10c927e8e679f183bb9113e"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c4741f6e7f2fa4e1486cb61e1c15b9236ec134d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d277a7a58578dd62fd546ddaef459ec24ccae36"
        }
      ],
      "title": "be2net: pass wrb_params in case of OS2BMC",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40264",
    "datePublished": "2025-12-04T16:08:24.028Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2025-12-06T21:39:07.176Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40328 (GCVE-0-2025-40328)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-09 04:09

Title

smb: client: fix potential UAF in smb2_close_cached_fid()

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cb52d9c86d70298de…
	https://git.kernel.org/stable/c/065bd62412271a2d7…
	https://git.kernel.org/stable/c/bdb596ceb4b7c3f28…
	https://git.kernel.org/stable/c/734e99623c5b65bf2…

Impacted products

Vendor

Product

Version

Linux

Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < cb52d9c86d70298de0ab7c7953653898cbc0efd6 (git)
Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < 065bd62412271a2d734810dd50336cae88c54427 (git)
Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < bdb596ceb4b7c3f28786a33840263728217fbcf5 (git)
Affected: ebe98f1447bbccf8228335c62d86af02a0ed23f7 , < 734e99623c5b65bf2c03e35978a0b980ebc3c2f8 (git)

Linux

Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cached_dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb52d9c86d70298de0ab7c7953653898cbc0efd6",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            },
            {
              "lessThan": "065bd62412271a2d734810dd50336cae88c54427",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            },
            {
              "lessThan": "bdb596ceb4b7c3f28786a33840263728217fbcf5",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            },
            {
              "lessThan": "734e99623c5b65bf2c03e35978a0b980ebc3c2f8",
              "status": "affected",
              "version": "ebe98f1447bbccf8228335c62d86af02a0ed23f7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/cached_dir.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_close_cached_fid()\n\nfind_or_create_cached_dir() could grab a new reference after kref_put()\nhad seen the refcount drop to zero but before cfid_list_lock is acquired\nin smb2_close_cached_fid(), leading to use-after-free.\n\nSwitch to kref_put_lock() so cfid_release() is called with\ncfid_list_lock held, closing that gap."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T04:09:44.876Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb52d9c86d70298de0ab7c7953653898cbc0efd6"
        },
        {
          "url": "https://git.kernel.org/stable/c/065bd62412271a2d734810dd50336cae88c54427"
        },
        {
          "url": "https://git.kernel.org/stable/c/bdb596ceb4b7c3f28786a33840263728217fbcf5"
        },
        {
          "url": "https://git.kernel.org/stable/c/734e99623c5b65bf2c03e35978a0b980ebc3c2f8"
        }
      ],
      "title": "smb: client: fix potential UAF in smb2_close_cached_fid()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40328",
    "datePublished": "2025-12-09T04:09:44.876Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2025-12-09T04:09:44.876Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40294 (GCVE-0-2025-40294)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'value' array in the 'mgmt_adv_pattern' structure will break the userspace. Considering this, and to avoid OOB access revert the limits for 'offset' and 'length' back to the value of HCI_MAX_AD_LENGTH. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/96616530f524a0a76…
	https://git.kernel.org/stable/c/5f7350ff2b179764a…
	https://git.kernel.org/stable/c/4b7d4aa5399b5a64c…
	https://git.kernel.org/stable/c/3a50d59b3781bc3a4…
	https://git.kernel.org/stable/c/8d59fba49362c6533…

Impacted products

Vendor

Product

Version

Linux

Affected: 99f30e12e588f9982a6eb1916e53510bff25b3b8 , < 96616530f524a0a76248cd44201de0a9e8526190 (git)
Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 5f7350ff2b179764a4f40ba4161b60b8aaef857b (git)
Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 4b7d4aa5399b5a64caee639275615c63c008540d (git)
Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 3a50d59b3781bc3a4e96533612509546a4c309a7 (git)
Affected: db08722fc7d46168fe31d9b8a7b29229dd959f9f , < 8d59fba49362c65332395789fd82771f1028d87e (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/bluetooth/mgmt.h",
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "96616530f524a0a76248cd44201de0a9e8526190",
              "status": "affected",
              "version": "99f30e12e588f9982a6eb1916e53510bff25b3b8",
              "versionType": "git"
            },
            {
              "lessThan": "5f7350ff2b179764a4f40ba4161b60b8aaef857b",
              "status": "affected",
              "version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
              "versionType": "git"
            },
            {
              "lessThan": "4b7d4aa5399b5a64caee639275615c63c008540d",
              "status": "affected",
              "version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
              "versionType": "git"
            },
            {
              "lessThan": "3a50d59b3781bc3a4e96533612509546a4c309a7",
              "status": "affected",
              "version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
              "versionType": "git"
            },
            {
              "lessThan": "8d59fba49362c65332395789fd82771f1028d87e",
              "status": "affected",
              "version": "db08722fc7d46168fe31d9b8a7b29229dd959f9f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/bluetooth/mgmt.h",
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1.83",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()\n\nIn the parse_adv_monitor_pattern() function, the value of\nthe \u0027length\u0027 variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).\nThe size of the \u0027value\u0027 array in the mgmt_adv_pattern structure is 31.\nIf the value of \u0027pattern[i].length\u0027 is set in the user space\nand exceeds 31, the \u0027patterns[i].value\u0027 array can be accessed\nout of bound when copied.\n\nIncreasing the size of the \u0027value\u0027 array in\nthe \u0027mgmt_adv_pattern\u0027 structure will break the userspace.\nConsidering this, and to avoid OOB access revert the limits for \u0027offset\u0027\nand \u0027length\u0027 back to the value of HCI_MAX_AD_LENGTH.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:17.899Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/96616530f524a0a76248cd44201de0a9e8526190"
        },
        {
          "url": "https://git.kernel.org/stable/c/5f7350ff2b179764a4f40ba4161b60b8aaef857b"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b7d4aa5399b5a64caee639275615c63c008540d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a50d59b3781bc3a4e96533612509546a4c309a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d59fba49362c65332395789fd82771f1028d87e"
        }
      ],
      "title": "Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40294",
    "datePublished": "2025-12-08T00:46:17.899Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2025-12-08T00:46:17.899Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40342 (GCVE-0-2025-40342)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52

Title

nvme-fc: use lock accessing port_state and rport state

Summary

In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/de3d91af47bc01503…
	https://git.kernel.org/stable/c/e8cde03de8674b05f…
	https://git.kernel.org/stable/c/4253e0a4546138a2b…
	https://git.kernel.org/stable/c/25f4bf1f7979a7871…
	https://git.kernel.org/stable/c/9950af4303942081d…
	https://git.kernel.org/stable/c/a2f7fa75c4a2a0732…
	https://git.kernel.org/stable/c/891cdbb162ccdb079…

Impacted products

Vendor

Product

Version

Linux

Affected: e399441de9115cd472b8ace6c517708273ca7997 , < de3d91af47bc015031e7721b100a29989f6498a5 (git)
Affected: e399441de9115cd472b8ace6c517708273ca7997 , < e8cde03de8674b05f2c5e0870729049eba517800 (git)
Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 4253e0a4546138a2bf9cb6acf66b32fee677fc7c (git)
Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 25f4bf1f7979a7871974fd36c79d69ff1cf4b446 (git)
Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 9950af4303942081dc8c7a5fdc3688c17c7eb6c0 (git)
Affected: e399441de9115cd472b8ace6c517708273ca7997 , < a2f7fa75c4a2a07328fa22ccbef461db76790b55 (git)
Affected: e399441de9115cd472b8ace6c517708273ca7997 , < 891cdbb162ccdb079cd5228ae43bdeebce8597ad (git)

Linux

Affected: 4.10
Unaffected: 0 , < 4.10 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/fc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "de3d91af47bc015031e7721b100a29989f6498a5",
              "status": "affected",
              "version": "e399441de9115cd472b8ace6c517708273ca7997",
              "versionType": "git"
            },
            {
              "lessThan": "e8cde03de8674b05f2c5e0870729049eba517800",
              "status": "affected",
              "version": "e399441de9115cd472b8ace6c517708273ca7997",
              "versionType": "git"
            },
            {
              "lessThan": "4253e0a4546138a2bf9cb6acf66b32fee677fc7c",
              "status": "affected",
              "version": "e399441de9115cd472b8ace6c517708273ca7997",
              "versionType": "git"
            },
            {
              "lessThan": "25f4bf1f7979a7871974fd36c79d69ff1cf4b446",
              "status": "affected",
              "version": "e399441de9115cd472b8ace6c517708273ca7997",
              "versionType": "git"
            },
            {
              "lessThan": "9950af4303942081dc8c7a5fdc3688c17c7eb6c0",
              "status": "affected",
              "version": "e399441de9115cd472b8ace6c517708273ca7997",
              "versionType": "git"
            },
            {
              "lessThan": "a2f7fa75c4a2a07328fa22ccbef461db76790b55",
              "status": "affected",
              "version": "e399441de9115cd472b8ace6c517708273ca7997",
              "versionType": "git"
            },
            {
              "lessThan": "891cdbb162ccdb079cd5228ae43bdeebce8597ad",
              "status": "affected",
              "version": "e399441de9115cd472b8ace6c517708273ca7997",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/fc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: use lock accessing port_state and rport state\n\nnvme_fc_unregister_remote removes the remote port on a lport object at\nany point in time when there is no active association. This races with\nwith the reconnect logic, because nvme_fc_create_association is not\ntaking a lock to check the port_state and atomically increase the\nactive count on the rport."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:52:12.515Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/de3d91af47bc015031e7721b100a29989f6498a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8cde03de8674b05f2c5e0870729049eba517800"
        },
        {
          "url": "https://git.kernel.org/stable/c/4253e0a4546138a2bf9cb6acf66b32fee677fc7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/25f4bf1f7979a7871974fd36c79d69ff1cf4b446"
        },
        {
          "url": "https://git.kernel.org/stable/c/9950af4303942081dc8c7a5fdc3688c17c7eb6c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2f7fa75c4a2a07328fa22ccbef461db76790b55"
        },
        {
          "url": "https://git.kernel.org/stable/c/891cdbb162ccdb079cd5228ae43bdeebce8597ad"
        }
      ],
      "title": "nvme-fc: use lock accessing port_state and rport state",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40342",
    "datePublished": "2025-12-09T04:09:59.673Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-20T08:52:12.515Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68346 (GCVE-0-2025-68346)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-19 12:18

Title

ALSA: dice: fix buffer overflow in detect_stream_formats()

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: dice: fix buffer overflow in detect_stream_formats() The function detect_stream_formats() reads the stream_count value directly from a FireWire device without validating it. This can lead to out-of-bounds writes when a malicious device provides a stream_count value greater than MAX_STREAMS. Fix by applying the same validation to both TX and RX stream counts in detect_stream_formats().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d6280a5b00cad37d9…
	https://git.kernel.org/stable/c/3cf854cec0eb371da…
	https://git.kernel.org/stable/c/4a6ab0f6cc9bdfdfe…
	https://git.kernel.org/stable/c/dea3ed2c16f99f46f…
	https://git.kernel.org/stable/c/c0a1fe1902ad23e6d…
	https://git.kernel.org/stable/c/932aa1e80b022419c…
	https://git.kernel.org/stable/c/1e1b3207a53e50d5a…
	https://git.kernel.org/stable/c/324f3e03e8a85931c…

Impacted products

Vendor

Product

Version

Linux

Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < d6280a5b00cad37d9a9a875849e5bf7ed2fe4950 (git)
Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 3cf854cec0eb371da47ff5fe56eab189d7fa623a (git)
Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4 (git)
Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0 (git)
Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6 (git)
Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 932aa1e80b022419cf9710e970739b7a8794f27c (git)
Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9 (git)
Affected: 58579c056c1c9510ae6695ed8e01ee05bbdcfb23 , < 324f3e03e8a85931ce0880654e3c3eb38b0f0bba (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/firewire/dice/dice-extension.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d6280a5b00cad37d9a9a875849e5bf7ed2fe4950",
              "status": "affected",
              "version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
              "versionType": "git"
            },
            {
              "lessThan": "3cf854cec0eb371da47ff5fe56eab189d7fa623a",
              "status": "affected",
              "version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
              "versionType": "git"
            },
            {
              "lessThan": "4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4",
              "status": "affected",
              "version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
              "versionType": "git"
            },
            {
              "lessThan": "dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0",
              "status": "affected",
              "version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
              "versionType": "git"
            },
            {
              "lessThan": "c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6",
              "status": "affected",
              "version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
              "versionType": "git"
            },
            {
              "lessThan": "932aa1e80b022419cf9710e970739b7a8794f27c",
              "status": "affected",
              "version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
              "versionType": "git"
            },
            {
              "lessThan": "1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9",
              "status": "affected",
              "version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
              "versionType": "git"
            },
            {
              "lessThan": "324f3e03e8a85931ce0880654e3c3eb38b0f0bba",
              "status": "affected",
              "version": "58579c056c1c9510ae6695ed8e01ee05bbdcfb23",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/firewire/dice/dice-extension.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: dice: fix buffer overflow in detect_stream_formats()\n\nThe function detect_stream_formats() reads the stream_count value directly\nfrom a FireWire device without validating it. This can lead to\nout-of-bounds writes when a malicious device provides a stream_count value\ngreater than MAX_STREAMS.\n\nFix by applying the same validation to both TX and RX stream counts in\ndetect_stream_formats()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:24.929Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d6280a5b00cad37d9a9a875849e5bf7ed2fe4950"
        },
        {
          "url": "https://git.kernel.org/stable/c/3cf854cec0eb371da47ff5fe56eab189d7fa623a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a6ab0f6cc9bdfdfecbf257a46ff4275bd965af4"
        },
        {
          "url": "https://git.kernel.org/stable/c/dea3ed2c16f99f46f97b1a090bf80ecdd6972ce0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c0a1fe1902ad23e6d48e0f68be1258ccf7a163e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/932aa1e80b022419cf9710e970739b7a8794f27c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e1b3207a53e50d5a66289fffc1f7d52cd9c50f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/324f3e03e8a85931ce0880654e3c3eb38b0f0bba"
        }
      ],
      "title": "ALSA: dice: fix buffer overflow in detect_stream_formats()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68346",
    "datePublished": "2025-12-24T10:32:39.101Z",
    "dateReserved": "2025-12-16T14:48:05.299Z",
    "dateUpdated": "2026-01-19T12:18:24.929Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50646 (GCVE-0-2022-50646)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00

Title

scsi: hpsa: Fix possible memory leak in hpsa_init_one()

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: hpsa: Fix possible memory leak in hpsa_init_one() The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to clean1 directly, which frees h and leaks the h->reply_map. Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead free h directly.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f4d1c14e8b404766f…
	https://git.kernel.org/stable/c/f8fc2f18652917cdc…
	https://git.kernel.org/stable/c/c808edbf580bfc454…
	https://git.kernel.org/stable/c/bfe10a1d9fbccdf39…
	https://git.kernel.org/stable/c/fc998d0a7d65672f0…
	https://git.kernel.org/stable/c/0aa7be66168b1e84b…
	https://git.kernel.org/stable/c/9c9ff300e0de07475…

Impacted products

Vendor

Product

Version

Linux

Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < f4d1c14e8b404766ff2bb8644bb19443d73965de (git)
Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < f8fc2f18652917cdcc89cb23f3a1b7cb6e119c5e (git)
Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < c808edbf580bfc454671cbe66e9d7c2e938e7601 (git)
Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < bfe10a1d9fbccdf39f8449d62509f070d8aaaac1 (git)
Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < fc998d0a7d65672f0812f11cd0ec4bbe4f8f8507 (git)
Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < 0aa7be66168b1e84b2581ffff3ccb54a6c804a1e (git)
Affected: 8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef , < 9c9ff300e0de07475796495d86f449340d454a0c (git)
Affected: 1edd825c11f8ed2c409d6fb6b3d90a042cbf738d (git)

Linux

Affected: 4.16
Unaffected: 0 , < 4.16 (semver)
Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.86 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hpsa.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f4d1c14e8b404766ff2bb8644bb19443d73965de",
              "status": "affected",
              "version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
              "versionType": "git"
            },
            {
              "lessThan": "f8fc2f18652917cdcc89cb23f3a1b7cb6e119c5e",
              "status": "affected",
              "version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
              "versionType": "git"
            },
            {
              "lessThan": "c808edbf580bfc454671cbe66e9d7c2e938e7601",
              "status": "affected",
              "version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
              "versionType": "git"
            },
            {
              "lessThan": "bfe10a1d9fbccdf39f8449d62509f070d8aaaac1",
              "status": "affected",
              "version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
              "versionType": "git"
            },
            {
              "lessThan": "fc998d0a7d65672f0812f11cd0ec4bbe4f8f8507",
              "status": "affected",
              "version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
              "versionType": "git"
            },
            {
              "lessThan": "0aa7be66168b1e84b2581ffff3ccb54a6c804a1e",
              "status": "affected",
              "version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
              "versionType": "git"
            },
            {
              "lessThan": "9c9ff300e0de07475796495d86f449340d454a0c",
              "status": "affected",
              "version": "8b834bff1b73dce46f4e9f5e84af6f73fed8b0ef",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1edd825c11f8ed2c409d6fb6b3d90a042cbf738d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/hpsa.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.86",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.63",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: hpsa: Fix possible memory leak in hpsa_init_one()\n\nThe hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in\nhpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to\nclean1 directly, which frees h and leaks the h-\u003ereply_map.\n\nFix by calling hpda_free_ctlr_info() to release h-\u003ereplay_map and h instead\nfree h directly."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T00:00:20.596Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f4d1c14e8b404766ff2bb8644bb19443d73965de"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8fc2f18652917cdcc89cb23f3a1b7cb6e119c5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c808edbf580bfc454671cbe66e9d7c2e938e7601"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfe10a1d9fbccdf39f8449d62509f070d8aaaac1"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc998d0a7d65672f0812f11cd0ec4bbe4f8f8507"
        },
        {
          "url": "https://git.kernel.org/stable/c/0aa7be66168b1e84b2581ffff3ccb54a6c804a1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c9ff300e0de07475796495d86f449340d454a0c"
        }
      ],
      "title": "scsi: hpsa: Fix possible memory leak in hpsa_init_one()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50646",
    "datePublished": "2025-12-09T00:00:20.596Z",
    "dateReserved": "2025-12-08T23:57:43.371Z",
    "dateUpdated": "2025-12-09T00:00:20.596Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50635 (GCVE-0-2022-50635)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00

Title

powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()

Summary

In the Linux kernel, the following vulnerability has been resolved: powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe() I found a null pointer reference in arch_prepare_kprobe(): # echo 'p cmdline_proc_show' > kprobe_events # echo 'p cmdline_proc_show+16' >> kprobe_events Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc000000000050bfc Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10 NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 9000000000009033 <SF,HV,EE,ME,IR,DR,RI,LE> CR: 88002444 XER: 20040006 CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 ... NIP arch_prepare_kprobe+0x10c/0x2d0 LR arch_prepare_kprobe+0xfc/0x2d0 Call Trace: 0xc0000000012f77a0 (unreliable) register_kprobe+0x3c0/0x7a0 __register_trace_kprobe+0x140/0x1a0 __trace_kprobe_create+0x794/0x1040 trace_probe_create+0xc4/0xe0 create_or_delete_trace_kprobe+0x2c/0x80 trace_parse_run_command+0xf0/0x210 probes_write+0x20/0x40 vfs_write+0xfc/0x450 ksys_write+0x84/0x140 system_call_exception+0x17c/0x3a0 system_call_vectored_common+0xe8/0x278 --- interrupt: 3000 at 0x7fffa5682de0 NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000 REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 44002408 XER: 00000000 The address being probed has some special: cmdline_proc_show: Probe based on ftrace cmdline_proc_show+16: Probe for the next instruction at the ftrace location The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets set to NULL. In arch_prepare_kprobe() it will check for: ... prev = get_kprobe(p->addr - 1); preempt_enable_no_resched(); if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { ... If prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur with a null pointer reference. At this point prev->addr will not be a prefixed instruction, so the check can be skipped. Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn' to fix this problem. [mpe: Trim oops]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7f536a8cb62dd5c08…
	https://git.kernel.org/stable/c/4eac4f6a86ae73ef4…
	https://git.kernel.org/stable/c/5fd1b369387c53ee6…
	https://git.kernel.org/stable/c/97f88a3d723162781…

Impacted products

Vendor

Product

Version

Linux

Affected: b4657f7650babc9bfb41ce875abe41b18604a105 , < 7f536a8cb62dd5c084f112373fc34cdb5168a813 (git)
Affected: b4657f7650babc9bfb41ce875abe41b18604a105 , < 4eac4f6a86ae73ef4b772d37398beeba2fbfde4e (git)
Affected: b4657f7650babc9bfb41ce875abe41b18604a105 , < 5fd1b369387c53ee6c774ab86e32e362a1e537ac (git)
Affected: b4657f7650babc9bfb41ce875abe41b18604a105 , < 97f88a3d723162781d6cbfdc7b9617eefab55b19 (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/kernel/kprobes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7f536a8cb62dd5c084f112373fc34cdb5168a813",
              "status": "affected",
              "version": "b4657f7650babc9bfb41ce875abe41b18604a105",
              "versionType": "git"
            },
            {
              "lessThan": "4eac4f6a86ae73ef4b772d37398beeba2fbfde4e",
              "status": "affected",
              "version": "b4657f7650babc9bfb41ce875abe41b18604a105",
              "versionType": "git"
            },
            {
              "lessThan": "5fd1b369387c53ee6c774ab86e32e362a1e537ac",
              "status": "affected",
              "version": "b4657f7650babc9bfb41ce875abe41b18604a105",
              "versionType": "git"
            },
            {
              "lessThan": "97f88a3d723162781d6cbfdc7b9617eefab55b19",
              "status": "affected",
              "version": "b4657f7650babc9bfb41ce875abe41b18604a105",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/kernel/kprobes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()\n\nI found a null pointer reference in arch_prepare_kprobe():\n\n  # echo \u0027p cmdline_proc_show\u0027 \u003e kprobe_events\n  # echo \u0027p cmdline_proc_show+16\u0027 \u003e\u003e kprobe_events\n  Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n  BUG: Kernel NULL pointer dereference on read at 0x00000000\n  Faulting instruction address: 0xc000000000050bfc\n  Oops: Kernel access of bad area, sig: 11 [#1]\n  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV\n  Modules linked in:\n  CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10\n  NIP:  c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc\n  REGS: c0000000348475b0 TRAP: 0300   Not tainted  (6.0.0-rc3-00007-gdcf8e5633e2e)\n  MSR:  9000000000009033 \u003cSF,HV,EE,ME,IR,DR,RI,LE\u003e  CR: 88002444  XER: 20040006\n  CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0\n  ...\n  NIP arch_prepare_kprobe+0x10c/0x2d0\n  LR  arch_prepare_kprobe+0xfc/0x2d0\n  Call Trace:\n    0xc0000000012f77a0 (unreliable)\n    register_kprobe+0x3c0/0x7a0\n    __register_trace_kprobe+0x140/0x1a0\n    __trace_kprobe_create+0x794/0x1040\n    trace_probe_create+0xc4/0xe0\n    create_or_delete_trace_kprobe+0x2c/0x80\n    trace_parse_run_command+0xf0/0x210\n    probes_write+0x20/0x40\n    vfs_write+0xfc/0x450\n    ksys_write+0x84/0x140\n    system_call_exception+0x17c/0x3a0\n    system_call_vectored_common+0xe8/0x278\n  --- interrupt: 3000 at 0x7fffa5682de0\n  NIP:  00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000\n  REGS: c000000034847e80 TRAP: 3000   Not tainted  (6.0.0-rc3-00007-gdcf8e5633e2e)\n  MSR:  900000000280f033 \u003cSF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE\u003e  CR: 44002408  XER: 00000000\n\nThe address being probed has some special:\n\n  cmdline_proc_show: Probe based on ftrace\n  cmdline_proc_show+16: Probe for the next instruction at the ftrace location\n\nThe ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets\nset to NULL. In arch_prepare_kprobe() it will check for:\n\n  ...\n  prev = get_kprobe(p-\u003eaddr - 1);\n  preempt_enable_no_resched();\n  if (prev \u0026\u0026 ppc_inst_prefixed(ppc_inst_read(prev-\u003eainsn.insn))) {\n  ...\n\nIf prev is based on ftrace, \u0027ppc_inst_read(prev-\u003eainsn.insn)\u0027 will occur\nwith a null pointer reference. At this point prev-\u003eaddr will not be a\nprefixed instruction, so the check can be skipped.\n\nCheck if prev is ftrace-based kprobe before reading \u0027prev-\u003eainsn.insn\u0027\nto fix this problem.\n\n[mpe: Trim oops]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T00:00:08.590Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7f536a8cb62dd5c084f112373fc34cdb5168a813"
        },
        {
          "url": "https://git.kernel.org/stable/c/4eac4f6a86ae73ef4b772d37398beeba2fbfde4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5fd1b369387c53ee6c774ab86e32e362a1e537ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/97f88a3d723162781d6cbfdc7b9617eefab55b19"
        }
      ],
      "title": "powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50635",
    "datePublished": "2025-12-09T00:00:08.590Z",
    "dateReserved": "2025-12-08T23:57:43.370Z",
    "dateUpdated": "2025-12-09T00:00:08.590Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68313 (GCVE-0-2025-68313)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2026-01-02 15:34

Title

x86/CPU/AMD: Add RDSEED fix for Zen5

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 "at a rate inconsistent with randomness while incorrectly signaling success (CF=1)". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e980de2ff109dacb6…
	https://git.kernel.org/stable/c/36ff93e66d0efc46e…
	https://git.kernel.org/stable/c/607b9fb2ce248cc5b…

Impacted products

Vendor

Product

Version

Linux

Affected: 3e4147f33f8b647775357bae0248b9a2aeebfcd2 , < e980de2ff109dacb6d9d3a77f01b27c467115ecb (git)
Affected: 3e4147f33f8b647775357bae0248b9a2aeebfcd2 , < 36ff93e66d0efc46e39fab536a9feec968daa766 (git)
Affected: 3e4147f33f8b647775357bae0248b9a2aeebfcd2 , < 607b9fb2ce248cc5b633c5949e0153838992c152 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/amd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e980de2ff109dacb6d9d3a77f01b27c467115ecb",
              "status": "affected",
              "version": "3e4147f33f8b647775357bae0248b9a2aeebfcd2",
              "versionType": "git"
            },
            {
              "lessThan": "36ff93e66d0efc46e39fab536a9feec968daa766",
              "status": "affected",
              "version": "3e4147f33f8b647775357bae0248b9a2aeebfcd2",
              "versionType": "git"
            },
            {
              "lessThan": "607b9fb2ce248cc5b633c5949e0153838992c152",
              "status": "affected",
              "version": "3e4147f33f8b647775357bae0248b9a2aeebfcd2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/amd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/CPU/AMD: Add RDSEED fix for Zen5\n\nThere\u0027s an issue with RDSEED\u0027s 16-bit and 32-bit register output\nvariants on Zen5 which return a random value of 0 \"at a rate inconsistent\nwith randomness while incorrectly signaling success (CF=1)\". Search the\nweb for AMD-SB-7055 for more detail.\n\nAdd a fix glue which checks microcode revisions.\n\n  [ bp: Add microcode revisions checking, rewrite. ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:56.955Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e980de2ff109dacb6d9d3a77f01b27c467115ecb"
        },
        {
          "url": "https://git.kernel.org/stable/c/36ff93e66d0efc46e39fab536a9feec968daa766"
        },
        {
          "url": "https://git.kernel.org/stable/c/607b9fb2ce248cc5b633c5949e0153838992c152"
        }
      ],
      "title": "x86/CPU/AMD: Add RDSEED fix for Zen5",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68313",
    "datePublished": "2025-12-16T15:39:43.972Z",
    "dateReserved": "2025-12-16T14:48:05.295Z",
    "dateUpdated": "2026-01-02T15:34:56.955Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50843 (GCVE-0-2022-50843)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:11 – Updated: 2025-12-30 12:11

Title

dm clone: Fix UAF in clone_dtr()

Summary

In the Linux kernel, the following vulnerability has been resolved: dm clone: Fix UAF in clone_dtr() Dm_clone also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in clone_dtr().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/520b56cfd9faee768…
	https://git.kernel.org/stable/c/342cfd8426dff4228…
	https://git.kernel.org/stable/c/856edd0e92f3fe896…
	https://git.kernel.org/stable/c/b1ddb666073bb5f36…
	https://git.kernel.org/stable/c/9e113cd4f61f3b000…
	https://git.kernel.org/stable/c/e4b5957c6f749a501…

Impacted products

Vendor

Product

Version

Linux

Affected: 7431b7835f554f8608b415a02cf3c3f086309e02 , < 520b56cfd9faee7683f081c3a38f11a81b13a68e (git)
Affected: 7431b7835f554f8608b415a02cf3c3f086309e02 , < 342cfd8426dff4228e6c714bcb9fc8295a2748dd (git)
Affected: 7431b7835f554f8608b415a02cf3c3f086309e02 , < 856edd0e92f3fe89606b704c86a93daedddfe6ec (git)
Affected: 7431b7835f554f8608b415a02cf3c3f086309e02 , < b1ddb666073bb5f36390aaabaa1a4d48d78c52ed (git)
Affected: 7431b7835f554f8608b415a02cf3c3f086309e02 , < 9e113cd4f61f3b0000843b2d0a90ce8b40a1fcff (git)
Affected: 7431b7835f554f8608b415a02cf3c3f086309e02 , < e4b5957c6f749a501c464f92792f1c8e26b61a94 (git)

Linux

Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.87 , ≤ 5.15.* (semver)
Unaffected: 6.0.18 , ≤ 6.0.* (semver)
Unaffected: 6.1.4 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-clone-target.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "520b56cfd9faee7683f081c3a38f11a81b13a68e",
              "status": "affected",
              "version": "7431b7835f554f8608b415a02cf3c3f086309e02",
              "versionType": "git"
            },
            {
              "lessThan": "342cfd8426dff4228e6c714bcb9fc8295a2748dd",
              "status": "affected",
              "version": "7431b7835f554f8608b415a02cf3c3f086309e02",
              "versionType": "git"
            },
            {
              "lessThan": "856edd0e92f3fe89606b704c86a93daedddfe6ec",
              "status": "affected",
              "version": "7431b7835f554f8608b415a02cf3c3f086309e02",
              "versionType": "git"
            },
            {
              "lessThan": "b1ddb666073bb5f36390aaabaa1a4d48d78c52ed",
              "status": "affected",
              "version": "7431b7835f554f8608b415a02cf3c3f086309e02",
              "versionType": "git"
            },
            {
              "lessThan": "9e113cd4f61f3b0000843b2d0a90ce8b40a1fcff",
              "status": "affected",
              "version": "7431b7835f554f8608b415a02cf3c3f086309e02",
              "versionType": "git"
            },
            {
              "lessThan": "e4b5957c6f749a501c464f92792f1c8e26b61a94",
              "status": "affected",
              "version": "7431b7835f554f8608b415a02cf3c3f086309e02",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-clone-target.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.18",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.4",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm clone: Fix UAF in clone_dtr()\n\nDm_clone also has the same UAF problem when dm_resume()\nand dm_destroy() are concurrent.\n\nTherefore, cancelling timer again in clone_dtr()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:11:01.130Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/520b56cfd9faee7683f081c3a38f11a81b13a68e"
        },
        {
          "url": "https://git.kernel.org/stable/c/342cfd8426dff4228e6c714bcb9fc8295a2748dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/856edd0e92f3fe89606b704c86a93daedddfe6ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1ddb666073bb5f36390aaabaa1a4d48d78c52ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e113cd4f61f3b0000843b2d0a90ce8b40a1fcff"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4b5957c6f749a501c464f92792f1c8e26b61a94"
        }
      ],
      "title": "dm clone: Fix UAF in clone_dtr()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50843",
    "datePublished": "2025-12-30T12:11:01.130Z",
    "dateReserved": "2025-12-30T12:06:07.133Z",
    "dateUpdated": "2025-12-30T12:11:01.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40287 (GCVE-0-2025-40287)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2026-01-26 16:17

Title

exfat: fix improper check of dentry.stream.valid_size

Summary

In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls — SYS_openat, SYS_ftruncate, and SYS_pwrite64 — can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6c627bcc1896ba62e…
	https://git.kernel.org/stable/c/204b1b02ee018ba52…
	https://git.kernel.org/stable/c/82ebecdc74ff555da…

Impacted products

Vendor

Product

Version

Linux

Affected: 11a347fb6cef62ce47e84b97c45f2b2497c7593b , < 6c627bcc1896ba62ec793d0c00da74f3c93ce3ad (git)
Affected: 11a347fb6cef62ce47e84b97c45f2b2497c7593b , < 204b1b02ee018ba52ad2ece21fe3a8643d66a1b2 (git)
Affected: 11a347fb6cef62ce47e84b97c45f2b2497c7593b , < 82ebecdc74ff555daf70b811d854b1f32a296bea (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6c627bcc1896ba62ec793d0c00da74f3c93ce3ad",
              "status": "affected",
              "version": "11a347fb6cef62ce47e84b97c45f2b2497c7593b",
              "versionType": "git"
            },
            {
              "lessThan": "204b1b02ee018ba52ad2ece21fe3a8643d66a1b2",
              "status": "affected",
              "version": "11a347fb6cef62ce47e84b97c45f2b2497c7593b",
              "versionType": "git"
            },
            {
              "lessThan": "82ebecdc74ff555daf70b811d854b1f32a296bea",
              "status": "affected",
              "version": "11a347fb6cef62ce47e84b97c45f2b2497c7593b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix improper check of dentry.stream.valid_size\n\nWe found an infinite loop bug in the exFAT file system that can lead to a\nDenial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is\nmalformed, the following system calls \u2014 SYS_openat, SYS_ftruncate, and\nSYS_pwrite64 \u2014 can cause the kernel to hang.\n\nRoot cause analysis shows that the size validation code in exfat_find()\ndoes not check whether dentry.stream.valid_size is negative. As a result,\nthe system calls mentioned above can succeed and eventually trigger the DoS\nissue.\n\nThis patch adds a check for negative dentry.stream.valid_size to prevent\nthis vulnerability."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-26T16:17:46.365Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6c627bcc1896ba62ec793d0c00da74f3c93ce3ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/204b1b02ee018ba52ad2ece21fe3a8643d66a1b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/82ebecdc74ff555daf70b811d854b1f32a296bea"
        }
      ],
      "title": "exfat: fix improper check of dentry.stream.valid_size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40287",
    "datePublished": "2025-12-06T21:51:13.328Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2026-01-26T16:17:46.365Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40239 (GCVE-0-2025-40239)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31

Title

net: phy: micrel: always set shared->phydev for LAN8814

Summary

In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: always set shared->phydev for LAN8814 Currently, during the LAN8814 PTP probe shared->phydev is only set if PTP clock gets actually set, otherwise the function will return before setting it. This is an issue as shared->phydev is unconditionally being used when IRQ is being handled, especially in lan8814_gpio_process_cap and since it was not set it will cause a NULL pointer exception and crash the kernel. So, simply always set shared->phydev to avoid the NULL pointer exception.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/da1ef8e9eb5d4a12b…
	https://git.kernel.org/stable/c/b093b06826b836c28…
	https://git.kernel.org/stable/c/399d10934740ae8cd…

Impacted products

Vendor

Product

Version

Linux

Affected: b3f1a08fcf0dd58d99b14b9f8fbd1929f188b746 , < da1ef8e9eb5d4a12bec32d11636e521e7d529b9e (git)
Affected: b3f1a08fcf0dd58d99b14b9f8fbd1929f188b746 , < b093b06826b836c2824858669db080c190c04715 (git)
Affected: b3f1a08fcf0dd58d99b14b9f8fbd1929f188b746 , < 399d10934740ae8cdaa4e3245f7c5f6c332da844 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/micrel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "da1ef8e9eb5d4a12bec32d11636e521e7d529b9e",
              "status": "affected",
              "version": "b3f1a08fcf0dd58d99b14b9f8fbd1929f188b746",
              "versionType": "git"
            },
            {
              "lessThan": "b093b06826b836c2824858669db080c190c04715",
              "status": "affected",
              "version": "b3f1a08fcf0dd58d99b14b9f8fbd1929f188b746",
              "versionType": "git"
            },
            {
              "lessThan": "399d10934740ae8cdaa4e3245f7c5f6c332da844",
              "status": "affected",
              "version": "b3f1a08fcf0dd58d99b14b9f8fbd1929f188b746",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/phy/micrel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: micrel: always set shared-\u003ephydev for LAN8814\n\nCurrently, during the LAN8814 PTP probe shared-\u003ephydev is only set if PTP\nclock gets actually set, otherwise the function will return before setting\nit.\n\nThis is an issue as shared-\u003ephydev is unconditionally being used when IRQ\nis being handled, especially in lan8814_gpio_process_cap and since it was\nnot set it will cause a NULL pointer exception and crash the kernel.\n\nSo, simply always set shared-\u003ephydev to avoid the NULL pointer exception."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T15:31:28.941Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/da1ef8e9eb5d4a12bec32d11636e521e7d529b9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b093b06826b836c2824858669db080c190c04715"
        },
        {
          "url": "https://git.kernel.org/stable/c/399d10934740ae8cdaa4e3245f7c5f6c332da844"
        }
      ],
      "title": "net: phy: micrel: always set shared-\u003ephydev for LAN8814",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40239",
    "datePublished": "2025-12-04T15:31:28.941Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-04T15:31:28.941Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68744 (GCVE-0-2025-68744)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-01-11 16:30

Title

bpf: Free special fields when update [lru_,]percpu_hash maps

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Free special fields when update [lru_,]percpu_hash maps As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the map gets freed. Fix this by calling 'bpf_obj_free_fields()' after 'copy_map_value[,_long]()' in 'pcpu_copy_value()'.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/994d6303ed0b84cbc…
	https://git.kernel.org/stable/c/3bf1378747e251571…
	https://git.kernel.org/stable/c/96a5cb7072cabbac5…
	https://git.kernel.org/stable/c/4a03d69cece145e4f…
	https://git.kernel.org/stable/c/6af6e49a76c9af7d4…

Impacted products

Vendor

Product

Version

Linux

Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 994d6303ed0b84cbc795bb5becf7ed6de40d3f3c (git)
Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 3bf1378747e251571e0de15e7e0a6bf2919044e7 (git)
Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 96a5cb7072cabbac5c66ac9318242c3bdceebb68 (git)
Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 4a03d69cece145e4fb527464be29c3806aa3221e (git)
Affected: 65334e64a493c6a0976de7ad56bf8b7a9ff04b4a , < 6af6e49a76c9af7d42eb923703e7648cb2bf401a (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/hashtab.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "994d6303ed0b84cbc795bb5becf7ed6de40d3f3c",
              "status": "affected",
              "version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
              "versionType": "git"
            },
            {
              "lessThan": "3bf1378747e251571e0de15e7e0a6bf2919044e7",
              "status": "affected",
              "version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
              "versionType": "git"
            },
            {
              "lessThan": "96a5cb7072cabbac5c66ac9318242c3bdceebb68",
              "status": "affected",
              "version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
              "versionType": "git"
            },
            {
              "lessThan": "4a03d69cece145e4fb527464be29c3806aa3221e",
              "status": "affected",
              "version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
              "versionType": "git"
            },
            {
              "lessThan": "6af6e49a76c9af7d42eb923703e7648cb2bf401a",
              "status": "affected",
              "version": "65334e64a493c6a0976de7ad56bf8b7a9ff04b4a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/hashtab.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Free special fields when update [lru_,]percpu_hash maps\n\nAs [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing\ncalls to \u0027bpf_obj_free_fields()\u0027 in \u0027pcpu_copy_value()\u0027 could cause the\nmemory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the\nmap gets freed.\n\nFix this by calling \u0027bpf_obj_free_fields()\u0027 after\n\u0027copy_map_value[,_long]()\u0027 in \u0027pcpu_copy_value()\u0027."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:30:22.161Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/994d6303ed0b84cbc795bb5becf7ed6de40d3f3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3bf1378747e251571e0de15e7e0a6bf2919044e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/96a5cb7072cabbac5c66ac9318242c3bdceebb68"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a03d69cece145e4fb527464be29c3806aa3221e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6af6e49a76c9af7d42eb923703e7648cb2bf401a"
        }
      ],
      "title": "bpf: Free special fields when update [lru_,]percpu_hash maps",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68744",
    "datePublished": "2025-12-24T12:09:40.839Z",
    "dateReserved": "2025-12-24T10:30:51.031Z",
    "dateUpdated": "2026-01-11T16:30:22.161Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40255 (GCVE-0-2025-40255)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08

Title

net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() The ethtool tsconfig Netlink path can trigger a null pointer dereference. A call chain such as: tsconfig_prepare_data() -> dev_get_hwtstamp_phylib() -> vlan_hwtstamp_get() -> generic_hwtstamp_get_lower() -> generic_hwtstamp_ioctl_lower() results in generic_hwtstamp_ioctl_lower() being called with kernel_cfg->ifr as NULL. The generic_hwtstamp_ioctl_lower() function does not expect a NULL ifr and dereferences it, leading to a system crash. Fix this by adding a NULL check for kernel_cfg->ifr in generic_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8817f816ae41908e9…
	https://git.kernel.org/stable/c/f796a8dec9beafcc0…

Impacted products

Vendor

Product

Version

Linux

Affected: 6e9e2eed4f39d52edf5fd006409d211facf49f6b , < 8817f816ae41908e9625c0770c4af0dcdcc01238 (git)
Affected: 6e9e2eed4f39d52edf5fd006409d211facf49f6b , < f796a8dec9beafcc0f6f0d3478ed685a15c5e062 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev_ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8817f816ae41908e9625c0770c4af0dcdcc01238",
              "status": "affected",
              "version": "6e9e2eed4f39d52edf5fd006409d211facf49f6b",
              "versionType": "git"
            },
            {
              "lessThan": "f796a8dec9beafcc0f6f0d3478ed685a15c5e062",
              "status": "affected",
              "version": "6e9e2eed4f39d52edf5fd006409d211facf49f6b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/dev_ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()\n\nThe ethtool tsconfig Netlink path can trigger a null pointer\ndereference. A call chain such as:\n\n  tsconfig_prepare_data() -\u003e\n  dev_get_hwtstamp_phylib() -\u003e\n  vlan_hwtstamp_get() -\u003e\n  generic_hwtstamp_get_lower() -\u003e\n  generic_hwtstamp_ioctl_lower()\n\nresults in generic_hwtstamp_ioctl_lower() being called with\nkernel_cfg-\u003eifr as NULL.\n\nThe generic_hwtstamp_ioctl_lower() function does not expect\na NULL ifr and dereferences it, leading to a system crash.\n\nFix this by adding a NULL check for kernel_cfg-\u003eifr in\ngeneric_hwtstamp_ioctl_lower(). If ifr is NULL, return -EINVAL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T16:08:17.023Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8817f816ae41908e9625c0770c4af0dcdcc01238"
        },
        {
          "url": "https://git.kernel.org/stable/c/f796a8dec9beafcc0f6f0d3478ed685a15c5e062"
        }
      ],
      "title": "net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40255",
    "datePublished": "2025-12-04T16:08:17.023Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-04T16:08:17.023Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40309 (GCVE-0-2025-40309)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33

Title

Bluetooth: SCO: Fix UAF on sco_conn_free

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/391f83547b7b2c63e…
	https://git.kernel.org/stable/c/ecb9a843be4d6fd71…

Impacted products

Vendor

Product

Version

Linux

Affected: e6720779ae612a14ac4ba7fe4fd5b27d900d932c , < 391f83547b7b2c63e4b572ab838e10a06cfa4425 (git)
Affected: e6720779ae612a14ac4ba7fe4fd5b27d900d932c , < ecb9a843be4d6fd710d7026e359f21015a062572 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/sco.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "391f83547b7b2c63e4b572ab838e10a06cfa4425",
              "status": "affected",
              "version": "e6720779ae612a14ac4ba7fe4fd5b27d900d932c",
              "versionType": "git"
            },
            {
              "lessThan": "ecb9a843be4d6fd710d7026e359f21015a062572",
              "status": "affected",
              "version": "e6720779ae612a14ac4ba7fe4fd5b27d900d932c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/sco.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix UAF on sco_conn_free\n\nBUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline]\nBUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline]\nBUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410\nnet/bluetooth/sco.c:107\nWrite of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352\n\nCPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted\n6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\nWorkqueue: hci13 hci_cmd_sync_work\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0x191/0x550 mm/kasan/report.c:482\n kasan_report+0xc4/0x100 mm/kasan/report.c:595\n sco_conn_free net/bluetooth/sco.c:87 [inline]\n kref_put include/linux/kref.h:65 [inline]\n sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107\n sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441\n hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline]\n hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313\n hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121\n hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147\n hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689\n hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332\n process_one_work kernel/workqueue.c:3236 [inline]\n process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319\n worker_thread+0xbee/0x1200 kernel/workqueue.c:3400\n kthread+0x3c7/0x870 kernel/kthread.c:463\n ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n \u003c/TASK\u003e\n\nAllocated by task 31370:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:388 [inline]\n __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4382 [inline]\n __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394\n kmalloc_noprof include/linux/slab.h:909 [inline]\n sk_prot_alloc+0xae/0x220 net/core/sock.c:2239\n sk_alloc+0x34/0x5a0 net/core/sock.c:2295\n bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151\n sco_sock_alloc net/bluetooth/sco.c:562 [inline]\n sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593\n bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135\n __sock_create+0x3ad/0x780 net/socket.c:1589\n sock_create net/socket.c:1647 [inline]\n __sys_socket_create net/socket.c:1684 [inline]\n __sys_socket+0xd5/0x330 net/socket.c:1731\n __do_sys_socket net/socket.c:1745 [inline]\n __se_sys_socket net/socket.c:1743 [inline]\n __x64_sys_socket+0x7a/0x90 net/socket.c:1743\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nFreed by task 31374:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x30/0x70 mm/kasan/common.c:68\n kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576\n poison_slab_object mm/kasan/common.c:243 [inline]\n __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275\n kasan_slab_free include/linux/kasan.h:233 [inline]\n slab_free_hook mm/slub.c:2428 [inline]\n slab_free mm/slub.c:4701 [inline]\n kfree+0x199/0x3b0 mm/slub.c:4900\n sk_prot_free net/core/sock.c:2278 [inline]\n __sk_destruct+0x4aa/0x630 net/core/sock.c:2373\n sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333\n __sock_release net/socket.c:649 [inline]\n sock_close+0xb8/0x230 net/socket.c:1439\n __fput+0x3d1/0x9e0 fs/file_table.c:468\n task_work_run+0x206/0x2a0 kernel/task_work.c:227\n get_signal+0x1201/0x1410 kernel/signal.c:2807\n arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40\n exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]\n s\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:30.865Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/391f83547b7b2c63e4b572ab838e10a06cfa4425"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecb9a843be4d6fd710d7026e359f21015a062572"
        }
      ],
      "title": "Bluetooth: SCO: Fix UAF on sco_conn_free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40309",
    "datePublished": "2025-12-08T00:46:34.785Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2026-01-02T15:33:30.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-1048 (GCVE-0-2022-1048)

Vulnerability from cvelistv5 – Published: 2022-04-29 15:34 – Updated: 2024-08-02 23:47

Summary

A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system.

Severity ?

No CVSS data available.

CWE

CWE-416

Assigner

redhat

References

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=2066706	x_refsource_MISC
	https://lore.kernel.org/lkml/20220322170720.3529-…	x_refsource_MISC
	https://www.debian.org/security/2022/dsa-5127	vendor-advisoryx_refsource_DEBIAN
	https://security.netapp.com/advisory/ntap-2022062…	x_refsource_CONFIRM
	https://www.debian.org/security/2022/dsa-5173	vendor-advisoryx_refsource_DEBIAN

Impacted products

	Vendor	Product	Version
	n/a	kernel	Affected: Linux kernel 5.17-rc9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:47:43.301Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066706"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lore.kernel.org/lkml/20220322170720.3529-5-tiwai%40suse.de/T/#m1d3b791b815556012c6be92f1c4a7086b854f7f3"
          },
          {
            "name": "DSA-5127",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5127"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220629-0001/"
          },
          {
            "name": "DSA-5173",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5173"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kernel",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Linux kernel 5.17-rc9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A use-after-free flaw was found in the Linux kernel\u2019s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-04T10:06:10",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066706"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lore.kernel.org/lkml/20220322170720.3529-5-tiwai%40suse.de/T/#m1d3b791b815556012c6be92f1c4a7086b854f7f3"
        },
        {
          "name": "DSA-5127",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5127"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220629-0001/"
        },
        {
          "name": "DSA-5173",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5173"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2022-1048",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Linux kernel 5.17-rc9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A use-after-free flaw was found in the Linux kernel\u2019s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-416"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2066706",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066706"
            },
            {
              "name": "https://lore.kernel.org/lkml/20220322170720.3529-5-tiwai@suse.de/T/#m1d3b791b815556012c6be92f1c4a7086b854f7f3",
              "refsource": "MISC",
              "url": "https://lore.kernel.org/lkml/20220322170720.3529-5-tiwai@suse.de/T/#m1d3b791b815556012c6be92f1c4a7086b854f7f3"
            },
            {
              "name": "DSA-5127",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5127"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220629-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220629-0001/"
            },
            {
              "name": "DSA-5173",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5173"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-1048",
    "datePublished": "2022-04-29T15:34:44",
    "dateReserved": "2022-03-22T00:00:00",
    "dateUpdated": "2024-08-02T23:47:43.301Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40019 (GCVE-0-2025-40019)

Vulnerability from cvelistv5 – Published: 2025-10-24 11:44 – Updated: 2025-12-01 06:16

Title

crypto: essiv - Check ssize for decryption and in-place encryption

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/29294dd6f1e7acf52…
	https://git.kernel.org/stable/c/71f03f8f72d9c70ff…
	https://git.kernel.org/stable/c/df58651968f82344a…
	https://git.kernel.org/stable/c/248ff2797ff52a8cb…
	https://git.kernel.org/stable/c/f37e7860dc5e94c70…
	https://git.kernel.org/stable/c/dc4c854a5e7453c46…
	https://git.kernel.org/stable/c/da7afb01ba05577ba…
	https://git.kernel.org/stable/c/6bb73db6948c2de23…

Impacted products

Vendor

Product

Version

Linux

Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 29294dd6f1e7acf527255fb136ffde6602c3a129 (git)
Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 71f03f8f72d9c70ffba76980e78b38c180e61589 (git)
Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < df58651968f82344a0ed2afdafd20ecfc55ff548 (git)
Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 248ff2797ff52a8cbf86507f9583437443bf7685 (git)
Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < f37e7860dc5e94c70b4a3e38a5809181310ea9ac (git)
Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < dc4c854a5e7453c465fa73b153eba4ef2a240abe (git)
Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < da7afb01ba05577ba3629f7f4824205550644986 (git)
Affected: be1eb7f78aa8fbe34779c56c266ccd0364604e71 , < 6bb73db6948c2de23e407fe1b7ef94bf02b7529f (git)

Linux

Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.157 , ≤ 6.1.* (semver)
Unaffected: 6.6.113 , ≤ 6.6.* (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "crypto/essiv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "29294dd6f1e7acf527255fb136ffde6602c3a129",
              "status": "affected",
              "version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
              "versionType": "git"
            },
            {
              "lessThan": "71f03f8f72d9c70ffba76980e78b38c180e61589",
              "status": "affected",
              "version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
              "versionType": "git"
            },
            {
              "lessThan": "df58651968f82344a0ed2afdafd20ecfc55ff548",
              "status": "affected",
              "version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
              "versionType": "git"
            },
            {
              "lessThan": "248ff2797ff52a8cbf86507f9583437443bf7685",
              "status": "affected",
              "version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
              "versionType": "git"
            },
            {
              "lessThan": "f37e7860dc5e94c70b4a3e38a5809181310ea9ac",
              "status": "affected",
              "version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
              "versionType": "git"
            },
            {
              "lessThan": "dc4c854a5e7453c465fa73b153eba4ef2a240abe",
              "status": "affected",
              "version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
              "versionType": "git"
            },
            {
              "lessThan": "da7afb01ba05577ba3629f7f4824205550644986",
              "status": "affected",
              "version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
              "versionType": "git"
            },
            {
              "lessThan": "6bb73db6948c2de23e407fe1b7ef94bf02b7529f",
              "status": "affected",
              "version": "be1eb7f78aa8fbe34779c56c266ccd0364604e71",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "crypto/essiv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: essiv - Check ssize for decryption and in-place encryption\n\nMove the ssize check to the start in essiv_aead_crypt so that\nit\u0027s also checked for decryption and in-place encryption."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:16:25.443Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/29294dd6f1e7acf527255fb136ffde6602c3a129"
        },
        {
          "url": "https://git.kernel.org/stable/c/71f03f8f72d9c70ffba76980e78b38c180e61589"
        },
        {
          "url": "https://git.kernel.org/stable/c/df58651968f82344a0ed2afdafd20ecfc55ff548"
        },
        {
          "url": "https://git.kernel.org/stable/c/248ff2797ff52a8cbf86507f9583437443bf7685"
        },
        {
          "url": "https://git.kernel.org/stable/c/f37e7860dc5e94c70b4a3e38a5809181310ea9ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc4c854a5e7453c465fa73b153eba4ef2a240abe"
        },
        {
          "url": "https://git.kernel.org/stable/c/da7afb01ba05577ba3629f7f4824205550644986"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bb73db6948c2de23e407fe1b7ef94bf02b7529f"
        }
      ],
      "title": "crypto: essiv - Check ssize for decryption and in-place encryption",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40019",
    "datePublished": "2025-10-24T11:44:29.864Z",
    "dateReserved": "2025-04-16T07:20:57.152Z",
    "dateUpdated": "2025-12-01T06:16:25.443Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50889 (GCVE-0-2022-50889)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:37 – Updated: 2025-12-30 12:37

Title

dm integrity: Fix UAF in dm_integrity_dtr()

Summary

In the Linux kernel, the following vulnerability has been resolved: dm integrity: Fix UAF in dm_integrity_dtr() Dm_integrity also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in dm_integrity_dtr().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/792e51aac376cfb5b…
	https://git.kernel.org/stable/c/a506b5c92757b0340…
	https://git.kernel.org/stable/c/9215b25f2e1050321…
	https://git.kernel.org/stable/c/9f8e1e54a3a424c6c…
	https://git.kernel.org/stable/c/b6c93cd61afab061d…
	https://git.kernel.org/stable/c/f50cb2cbabd6c4a60…

Impacted products

Vendor

Product

Version

Linux

Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < 792e51aac376cfb5bd527c2a30826223b82dd177 (git)
Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < a506b5c92757b034034ef683e667bffc456c600b (git)
Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < 9215b25f2e105032114e9b92c9783a2a84ee8af9 (git)
Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < 9f8e1e54a3a424c6c4fb8742e094789d3ec91e42 (git)
Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < b6c93cd61afab061d80cc842333abca97b289774 (git)
Affected: 7eada909bfd7ac90a4522e56aa3179d1fd68cd14 , < f50cb2cbabd6c4a60add93d72451728f86e4791c (git)

Linux

Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.87 , ≤ 5.15.* (semver)
Unaffected: 6.0.18 , ≤ 6.0.* (semver)
Unaffected: 6.1.4 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-integrity.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "792e51aac376cfb5bd527c2a30826223b82dd177",
              "status": "affected",
              "version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
              "versionType": "git"
            },
            {
              "lessThan": "a506b5c92757b034034ef683e667bffc456c600b",
              "status": "affected",
              "version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
              "versionType": "git"
            },
            {
              "lessThan": "9215b25f2e105032114e9b92c9783a2a84ee8af9",
              "status": "affected",
              "version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
              "versionType": "git"
            },
            {
              "lessThan": "9f8e1e54a3a424c6c4fb8742e094789d3ec91e42",
              "status": "affected",
              "version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
              "versionType": "git"
            },
            {
              "lessThan": "b6c93cd61afab061d80cc842333abca97b289774",
              "status": "affected",
              "version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
              "versionType": "git"
            },
            {
              "lessThan": "f50cb2cbabd6c4a60add93d72451728f86e4791c",
              "status": "affected",
              "version": "7eada909bfd7ac90a4522e56aa3179d1fd68cd14",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-integrity.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.18",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.4",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm integrity: Fix UAF in dm_integrity_dtr()\n\nDm_integrity also has the same UAF problem when dm_resume()\nand dm_destroy() are concurrent.\n\nTherefore, cancelling timer again in dm_integrity_dtr()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:37:06.957Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/792e51aac376cfb5bd527c2a30826223b82dd177"
        },
        {
          "url": "https://git.kernel.org/stable/c/a506b5c92757b034034ef683e667bffc456c600b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9215b25f2e105032114e9b92c9783a2a84ee8af9"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f8e1e54a3a424c6c4fb8742e094789d3ec91e42"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6c93cd61afab061d80cc842333abca97b289774"
        },
        {
          "url": "https://git.kernel.org/stable/c/f50cb2cbabd6c4a60add93d72451728f86e4791c"
        }
      ],
      "title": "dm integrity: Fix UAF in dm_integrity_dtr()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50889",
    "datePublished": "2025-12-30T12:37:06.957Z",
    "dateReserved": "2025-12-30T12:35:41.596Z",
    "dateUpdated": "2025-12-30T12:37:06.957Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40323 (GCVE-0-2025-40323)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33

Title

fbcon: Set fb_display[i]->mode to NULL when the mode is released

Summary

In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: <TASK> dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4ac18f0e6a6d599ca…
	https://git.kernel.org/stable/c/468f78276a37f4c64…
	https://git.kernel.org/stable/c/c079d42f70109512e…
	https://git.kernel.org/stable/c/de89d19f4f30d9a8d…
	https://git.kernel.org/stable/c/a1f3058930745d2b9…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 468f78276a37f4c6499385a4ce28f4f57be6655d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c079d42f70109512eee49123a843be91d8fa133f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < de89d19f4f30d9a8de87b9d08c1bd35cb70576d8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a1f3058930745d2b938b6b4f5bd9630dc74b26b7 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbcon.c",
            "drivers/video/fbdev/core/fbmem.c",
            "include/linux/fbcon.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "468f78276a37f4c6499385a4ce28f4f57be6655d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c079d42f70109512eee49123a843be91d8fa133f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "de89d19f4f30d9a8de87b9d08c1bd35cb70576d8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a1f3058930745d2b938b6b4f5bd9630dc74b26b7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/core/fbcon.c",
            "drivers/video/fbdev/core/fbmem.c",
            "include/linux/fbcon.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: Set fb_display[i]-\u003emode to NULL when the mode is released\n\nRecently, we discovered the following issue through syzkaller:\n\nBUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0\nRead of size 4 at addr ff11000001b3c69c by task syz.xxx\n...\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xab/0xe0\n print_address_description.constprop.0+0x2c/0x390\n print_report+0xb9/0x280\n kasan_report+0xb8/0xf0\n fb_mode_is_equal+0x285/0x2f0\n fbcon_mode_deleted+0x129/0x180\n fb_set_var+0xe7f/0x11d0\n do_fb_ioctl+0x6a0/0x750\n fb_ioctl+0xe0/0x140\n __x64_sys_ioctl+0x193/0x210\n do_syscall_64+0x5f/0x9c0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nBased on experimentation and analysis, during framebuffer unregistration,\nonly the memory of fb_info-\u003emodelist is freed, without setting the\ncorresponding fb_display[i]-\u003emode to NULL for the freed modes. This leads\nto UAF issues during subsequent accesses. Here\u0027s an example of reproduction\nsteps:\n1. With /dev/fb0 already registered in the system, load a kernel module\n   to register a new device /dev/fb1;\n2. Set fb1\u0027s mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP);\n3. Switch console from fb to VGA (to allow normal rmmod of the ko);\n4. Unload the kernel module, at this point fb1\u0027s modelist is freed, leaving\n   a wild pointer in fb_display[];\n5. Trigger the bug via system calls through fb0 attempting to delete a mode\n   from fb0.\n\nAdd a check in do_unregister_framebuffer(): if the mode to be freed exists\nin fb_display[], set the corresponding mode pointer to NULL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:36.178Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4ac18f0e6a6d599ca751c4cd98e522afc8e3d4eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/468f78276a37f4c6499385a4ce28f4f57be6655d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c079d42f70109512eee49123a843be91d8fa133f"
        },
        {
          "url": "https://git.kernel.org/stable/c/de89d19f4f30d9a8de87b9d08c1bd35cb70576d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1f3058930745d2b938b6b4f5bd9630dc74b26b7"
        }
      ],
      "title": "fbcon: Set fb_display[i]-\u003emode to NULL when the mode is released",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40323",
    "datePublished": "2025-12-08T00:46:50.833Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2026-01-02T15:33:36.178Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68249 (GCVE-0-2025-68249)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:32 – Updated: 2025-12-16 14:32

Title

most: usb: hdm_probe: Fix calling put_device() before device initialization

Summary

In the Linux kernel, the following vulnerability has been resolved: most: usb: hdm_probe: Fix calling put_device() before device initialization The early error path in hdm_probe() can jump to err_free_mdev before &mdev->dev has been initialized with device_initialize(). Calling put_device(&mdev->dev) there triggers a device core WARN and ends up invoking kref_put(&kobj->kref, kobject_release) on an uninitialized kobject. In this path the private struct was only kmalloc'ed and the intended release is effectively kfree(mdev) anyway, so free it directly instead of calling put_device() on an uninitialized device. This removes the WARNING and fixes the pre-initialization error path.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3509c748e79435d09…
	https://git.kernel.org/stable/c/ad2be44882716dc35…
	https://git.kernel.org/stable/c/c400410fe0580dd61…
	https://git.kernel.org/stable/c/6fb8fbc0aa542af5b…
	https://git.kernel.org/stable/c/7d851f746067b8ee5…
	https://git.kernel.org/stable/c/4af0eedbdb4df7936…
	https://git.kernel.org/stable/c/a8cc9e5fcb0e2eef2…

Impacted products

Vendor

Product

Version

Linux

Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 3509c748e79435d09e730673c8c100b7f0ebc87c (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < ad2be44882716dc3589fbc5572cc13f88ead6b24 (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < c400410fe0580dd6118ae8d60287ac9ce71a65fd (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95 (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 7d851f746067b8ee5bac9c262f326ace0a6ea253 (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 4af0eedbdb4df7936bf43a28e31af232744d2620 (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < a8cc9e5fcb0e2eef21513a4fec888f5712cb8162 (git)

Linux

Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.196 , ≤ 5.15.* (semver)
Unaffected: 6.1.158 , ≤ 6.1.* (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/most/most_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3509c748e79435d09e730673c8c100b7f0ebc87c",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "ad2be44882716dc3589fbc5572cc13f88ead6b24",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "c400410fe0580dd6118ae8d60287ac9ce71a65fd",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "7d851f746067b8ee5bac9c262f326ace0a6ea253",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "4af0eedbdb4df7936bf43a28e31af232744d2620",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "a8cc9e5fcb0e2eef21513a4fec888f5712cb8162",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/most/most_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: hdm_probe: Fix calling put_device() before device initialization\n\nThe early error path in hdm_probe() can jump to err_free_mdev before\n\u0026mdev-\u003edev has been initialized with device_initialize(). Calling\nput_device(\u0026mdev-\u003edev) there triggers a device core WARN and ends up\ninvoking kref_put(\u0026kobj-\u003ekref, kobject_release) on an uninitialized\nkobject.\n\nIn this path the private struct was only kmalloc\u0027ed and the intended\nrelease is effectively kfree(mdev) anyway, so free it directly instead\nof calling put_device() on an uninitialized device.\n\nThis removes the WARNING and fixes the pre-initialization error path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T14:32:16.370Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3509c748e79435d09e730673c8c100b7f0ebc87c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad2be44882716dc3589fbc5572cc13f88ead6b24"
        },
        {
          "url": "https://git.kernel.org/stable/c/c400410fe0580dd6118ae8d60287ac9ce71a65fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fb8fbc0aa542af5bf0fed94fa6b0edf18144f95"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d851f746067b8ee5bac9c262f326ace0a6ea253"
        },
        {
          "url": "https://git.kernel.org/stable/c/4af0eedbdb4df7936bf43a28e31af232744d2620"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8cc9e5fcb0e2eef21513a4fec888f5712cb8162"
        }
      ],
      "title": "most: usb: hdm_probe: Fix calling put_device() before device initialization",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68249",
    "datePublished": "2025-12-16T14:32:16.370Z",
    "dateReserved": "2025-12-16T13:41:40.266Z",
    "dateUpdated": "2025-12-16T14:32:16.370Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50730 (GCVE-0-2022-50730)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22

Title

ext4: silence the warning when evicting inode with dioread_nolock

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: silence the warning when evicting inode with dioread_nolock When evicting an inode with default dioread_nolock, it could be raced by the unwritten extents converting kworker after writeback some new allocated dirty blocks. It convert unwritten extents to written, the extents could be merged to upper level and free extent blocks, so it could mark the inode dirty again even this inode has been marked I_FREEING. But the inode->i_io_list check and warning in ext4_evict_inode() missing this corner case. Fortunately, ext4_evict_inode() will wait all extents converting finished before this check, so it will not lead to inode use-after-free problem, every thing is OK besides this warning. The WARN_ON_ONCE was originally designed for finding inode use-after-free issues in advance, but if we add current dioread_nolock case in, it will become not quite useful, so fix this warning by just remove this check. ====== WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227 ext4_evict_inode+0x875/0xc60 ... RIP: 0010:ext4_evict_inode+0x875/0xc60 ... Call Trace: <TASK> evict+0x11c/0x2b0 iput+0x236/0x3a0 do_unlinkat+0x1b4/0x490 __x64_sys_unlinkat+0x4c/0xb0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fa933c1115b ====== rm kworker ext4_end_io_end() vfs_unlink() ext4_unlink() ext4_convert_unwritten_io_end_vec() ext4_convert_unwritten_extents() ext4_map_blocks() ext4_ext_map_blocks() ext4_ext_try_to_merge_up() __mark_inode_dirty() check !I_FREEING locked_inode_to_wb_and_lock_list() iput() iput_final() evict() ext4_evict_inode() truncate_inode_pages_final() //wait release io_end inode_io_list_move_locked() ext4_release_io_end() trigger WARN_ON_ONCE()

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bdc698ce91f232fd5…
	https://git.kernel.org/stable/c/0d041b7251c13679a…
	https://git.kernel.org/stable/c/3b893cc9a8d8b4e48…
	https://git.kernel.org/stable/c/b085fb43feede48eb…
	https://git.kernel.org/stable/c/bc12ac98ea2e1b70a…

Impacted products

Vendor

Product

Version

Linux

Affected: ceff86fddae8748fe00d4f2d249cb02cae62ad84 , < bdc698ce91f232fd5eb11d2373e9f82f687314b8 (git)
Affected: ceff86fddae8748fe00d4f2d249cb02cae62ad84 , < 0d041b7251c13679a0f6c7926751ce1d8a7237c1 (git)
Affected: ceff86fddae8748fe00d4f2d249cb02cae62ad84 , < 3b893cc9a8d8b4e486a6639f5e107b56b7197d2e (git)
Affected: ceff86fddae8748fe00d4f2d249cb02cae62ad84 , < b085fb43feede48ebf80ab7e2dd150c8d9902932 (git)
Affected: ceff86fddae8748fe00d4f2d249cb02cae62ad84 , < bc12ac98ea2e1b70adc6478c8b473a0003b659d3 (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.87 , ≤ 5.15.* (semver)
Unaffected: 6.0.18 , ≤ 6.0.* (semver)
Unaffected: 6.1.4 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bdc698ce91f232fd5eb11d2373e9f82f687314b8",
              "status": "affected",
              "version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
              "versionType": "git"
            },
            {
              "lessThan": "0d041b7251c13679a0f6c7926751ce1d8a7237c1",
              "status": "affected",
              "version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
              "versionType": "git"
            },
            {
              "lessThan": "3b893cc9a8d8b4e486a6639f5e107b56b7197d2e",
              "status": "affected",
              "version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
              "versionType": "git"
            },
            {
              "lessThan": "b085fb43feede48ebf80ab7e2dd150c8d9902932",
              "status": "affected",
              "version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
              "versionType": "git"
            },
            {
              "lessThan": "bc12ac98ea2e1b70adc6478c8b473a0003b659d3",
              "status": "affected",
              "version": "ceff86fddae8748fe00d4f2d249cb02cae62ad84",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.18",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.4",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: silence the warning when evicting inode with dioread_nolock\n\nWhen evicting an inode with default dioread_nolock, it could be raced by\nthe unwritten extents converting kworker after writeback some new\nallocated dirty blocks. It convert unwritten extents to written, the\nextents could be merged to upper level and free extent blocks, so it\ncould mark the inode dirty again even this inode has been marked\nI_FREEING. But the inode-\u003ei_io_list check and warning in\next4_evict_inode() missing this corner case. Fortunately,\next4_evict_inode() will wait all extents converting finished before this\ncheck, so it will not lead to inode use-after-free problem, every thing\nis OK besides this warning. The WARN_ON_ONCE was originally designed\nfor finding inode use-after-free issues in advance, but if we add\ncurrent dioread_nolock case in, it will become not quite useful, so fix\nthis warning by just remove this check.\n\n ======\n WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227\n ext4_evict_inode+0x875/0xc60\n ...\n RIP: 0010:ext4_evict_inode+0x875/0xc60\n ...\n Call Trace:\n  \u003cTASK\u003e\n  evict+0x11c/0x2b0\n  iput+0x236/0x3a0\n  do_unlinkat+0x1b4/0x490\n  __x64_sys_unlinkat+0x4c/0xb0\n  do_syscall_64+0x3b/0x90\n  entry_SYSCALL_64_after_hwframe+0x46/0xb0\n RIP: 0033:0x7fa933c1115b\n ======\n\nrm                          kworker\n                            ext4_end_io_end()\nvfs_unlink()\n ext4_unlink()\n                             ext4_convert_unwritten_io_end_vec()\n                              ext4_convert_unwritten_extents()\n                               ext4_map_blocks()\n                                ext4_ext_map_blocks()\n                                 ext4_ext_try_to_merge_up()\n                                  __mark_inode_dirty()\n                                   check !I_FREEING\n                                   locked_inode_to_wb_and_lock_list()\n iput()\n  iput_final()\n   evict()\n    ext4_evict_inode()\n     truncate_inode_pages_final() //wait release io_end\n                                    inode_io_list_move_locked()\n                             ext4_release_io_end()\n     trigger WARN_ON_ONCE()"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:22:50.416Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bdc698ce91f232fd5eb11d2373e9f82f687314b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d041b7251c13679a0f6c7926751ce1d8a7237c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b893cc9a8d8b4e486a6639f5e107b56b7197d2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b085fb43feede48ebf80ab7e2dd150c8d9902932"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc12ac98ea2e1b70adc6478c8b473a0003b659d3"
        }
      ],
      "title": "ext4: silence the warning when evicting inode with dioread_nolock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50730",
    "datePublished": "2025-12-24T12:22:50.416Z",
    "dateReserved": "2025-12-24T12:20:40.330Z",
    "dateUpdated": "2025-12-24T12:22:50.416Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-54110 (GCVE-0-2023-54110)

Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06

Title

usb: rndis_host: Secure rndis_query check against int overflow

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: rndis_host: Secure rndis_query check against int overflow Variables off and len typed as uint32 in rndis_query function are controlled by incoming RNDIS response message thus their value may be manipulated. Setting off to a unexpectetly large value will cause the sum with len and 8 to overflow and pass the implemented validation step. Consequently the response pointer will be referring to a location past the expected buffer boundaries allowing information leakage e.g. via RNDIS_OID_802_3_PERMANENT_ADDRESS OID.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/55782f6d63a5a3dd3…
	https://git.kernel.org/stable/c/02ffb4ecf0614c58e…
	https://git.kernel.org/stable/c/ebe6d2fcf7835f98c…
	https://git.kernel.org/stable/c/232ef345e5d76e554…
	https://git.kernel.org/stable/c/11cd4ec6359d90b13…
	https://git.kernel.org/stable/c/39eadaf5611ddd064…
	https://git.kernel.org/stable/c/a713602807f32afc0…
	https://git.kernel.org/stable/c/c7dd13805f8b8fc1c…

Impacted products

Vendor

Product

Version

Linux

Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < 55782f6d63a5a3dd3b84c1e0627738fc5b146b4e (git)
Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < 02ffb4ecf0614c58e3d0e5bfbe99588c9ddc77c0 (git)
Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < ebe6d2fcf7835f98cdbb1bd5e0414be20c321578 (git)
Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < 232ef345e5d76e5542f430a29658a85dbef07f0b (git)
Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < 11cd4ec6359d90b13ffb8f85a9df8637f0cf8d95 (git)
Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < 39eadaf5611ddd064ad1c53da65c02d2b0fe22a4 (git)
Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < a713602807f32afc04add331410c77ef790ef77a (git)
Affected: ddda08624013e8435e9f7cfc34a35bd7b3520b6d , < c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 (git)

Linux

Affected: 2.6.22
Unaffected: 0 , < 2.6.22 (semver)
Unaffected: 4.14.303 , ≤ 4.14.* (semver)
Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.87 , ≤ 5.15.* (semver)
Unaffected: 6.0.19 , ≤ 6.0.* (semver)
Unaffected: 6.1.5 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/rndis_host.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "55782f6d63a5a3dd3b84c1e0627738fc5b146b4e",
              "status": "affected",
              "version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
              "versionType": "git"
            },
            {
              "lessThan": "02ffb4ecf0614c58e3d0e5bfbe99588c9ddc77c0",
              "status": "affected",
              "version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
              "versionType": "git"
            },
            {
              "lessThan": "ebe6d2fcf7835f98cdbb1bd5e0414be20c321578",
              "status": "affected",
              "version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
              "versionType": "git"
            },
            {
              "lessThan": "232ef345e5d76e5542f430a29658a85dbef07f0b",
              "status": "affected",
              "version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
              "versionType": "git"
            },
            {
              "lessThan": "11cd4ec6359d90b13ffb8f85a9df8637f0cf8d95",
              "status": "affected",
              "version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
              "versionType": "git"
            },
            {
              "lessThan": "39eadaf5611ddd064ad1c53da65c02d2b0fe22a4",
              "status": "affected",
              "version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
              "versionType": "git"
            },
            {
              "lessThan": "a713602807f32afc04add331410c77ef790ef77a",
              "status": "affected",
              "version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
              "versionType": "git"
            },
            {
              "lessThan": "c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2",
              "status": "affected",
              "version": "ddda08624013e8435e9f7cfc34a35bd7b3520b6d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/rndis_host.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.303",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.303",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.19",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.5",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: rndis_host: Secure rndis_query check against int overflow\n\nVariables off and len typed as uint32 in rndis_query function\nare controlled by incoming RNDIS response message thus their\nvalue may be manipulated. Setting off to a unexpectetly large\nvalue will cause the sum with len and 8 to overflow and pass\nthe implemented validation step. Consequently the response\npointer will be referring to a location past the expected\nbuffer boundaries allowing information leakage e.g. via\nRNDIS_OID_802_3_PERMANENT_ADDRESS OID."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T13:06:33.495Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/55782f6d63a5a3dd3b84c1e0627738fc5b146b4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/02ffb4ecf0614c58e3d0e5bfbe99588c9ddc77c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebe6d2fcf7835f98cdbb1bd5e0414be20c321578"
        },
        {
          "url": "https://git.kernel.org/stable/c/232ef345e5d76e5542f430a29658a85dbef07f0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/11cd4ec6359d90b13ffb8f85a9df8637f0cf8d95"
        },
        {
          "url": "https://git.kernel.org/stable/c/39eadaf5611ddd064ad1c53da65c02d2b0fe22a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a713602807f32afc04add331410c77ef790ef77a"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2"
        }
      ],
      "title": "usb: rndis_host: Secure rndis_query check against int overflow",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54110",
    "datePublished": "2025-12-24T13:06:33.495Z",
    "dateReserved": "2025-12-24T13:02:52.518Z",
    "dateUpdated": "2025-12-24T13:06:33.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40360 (GCVE-0-2025-40360)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:39 – Updated: 2025-12-16 13:39

Title

drm/sysfb: Do not dereference NULL pointer in plane reset

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6abeff03cb79a2c7f…
	https://git.kernel.org/stable/c/c4faf7f417eea8b8d…
	https://git.kernel.org/stable/c/b61ed8005bd310251…
	https://git.kernel.org/stable/c/6bdef5648a60e49d4…
	https://git.kernel.org/stable/c/c7d5e69866bbe95c1…
	https://git.kernel.org/stable/c/14e02ed3876f4ab0e…

Impacted products

Vendor

Product

Version

Linux

Affected: b715650220311e50448cb499c71084ca8aeeeece , < 6abeff03cb79a2c7f4554a8e8738acd35bb37152 (git)
Affected: b715650220311e50448cb499c71084ca8aeeeece , < c4faf7f417eea8b8d5cc570a1015736f307aa2d5 (git)
Affected: b715650220311e50448cb499c71084ca8aeeeece , < b61ed8005bd3102510fab5015ac6a275c9c5ea16 (git)
Affected: b715650220311e50448cb499c71084ca8aeeeece , < 6bdef5648a60e49d4a3b02461ab7ae3776877e77 (git)
Affected: b715650220311e50448cb499c71084ca8aeeeece , < c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232 (git)
Affected: b715650220311e50448cb499c71084ca8aeeeece , < 14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/drm_gem_atomic_helper.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6abeff03cb79a2c7f4554a8e8738acd35bb37152",
              "status": "affected",
              "version": "b715650220311e50448cb499c71084ca8aeeeece",
              "versionType": "git"
            },
            {
              "lessThan": "c4faf7f417eea8b8d5cc570a1015736f307aa2d5",
              "status": "affected",
              "version": "b715650220311e50448cb499c71084ca8aeeeece",
              "versionType": "git"
            },
            {
              "lessThan": "b61ed8005bd3102510fab5015ac6a275c9c5ea16",
              "status": "affected",
              "version": "b715650220311e50448cb499c71084ca8aeeeece",
              "versionType": "git"
            },
            {
              "lessThan": "6bdef5648a60e49d4a3b02461ab7ae3776877e77",
              "status": "affected",
              "version": "b715650220311e50448cb499c71084ca8aeeeece",
              "versionType": "git"
            },
            {
              "lessThan": "c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232",
              "status": "affected",
              "version": "b715650220311e50448cb499c71084ca8aeeeece",
              "versionType": "git"
            },
            {
              "lessThan": "14e02ed3876f4ab0ed6d3f41972175f8b8df3d70",
              "status": "affected",
              "version": "b715650220311e50448cb499c71084ca8aeeeece",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/drm_gem_atomic_helper.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/sysfb: Do not dereference NULL pointer in plane reset\n\nThe plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not\nderef that pointer, but forward NULL to the other plane-reset helpers.\nClears plane-\u003estate to NULL.\n\nv2:\n- fix typo in commit description (Javier)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:39:59.490Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6abeff03cb79a2c7f4554a8e8738acd35bb37152"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4faf7f417eea8b8d5cc570a1015736f307aa2d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/b61ed8005bd3102510fab5015ac6a275c9c5ea16"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bdef5648a60e49d4a3b02461ab7ae3776877e77"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7d5e69866bbe95c1e4ab4c10a81e0a02d9ea232"
        },
        {
          "url": "https://git.kernel.org/stable/c/14e02ed3876f4ab0ed6d3f41972175f8b8df3d70"
        }
      ],
      "title": "drm/sysfb: Do not dereference NULL pointer in plane reset",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40360",
    "datePublished": "2025-12-16T13:39:59.490Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-16T13:39:59.490Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68351 (GCVE-0-2025-68351)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-30 15:35

Title

exfat: fix refcount leak in exfat_find

Summary

In the Linux kernel, the following vulnerability has been resolved: exfat: fix refcount leak in exfat_find Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`. Function `exfat_get_dentry_set` would increase the reference counter of `es->bh` on success. Therefore, `exfat_put_dentry_set` must be called after `exfat_get_dentry_set` to ensure refcount consistency. This patch relocate two checks to avoid possible leaks.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fc9ce762525e73438…
	https://git.kernel.org/stable/c/d009ff8959d28d2a3…
	https://git.kernel.org/stable/c/9aee8de970f18c2aa…

Impacted products

Vendor

Product

Version

Linux

Affected: 92075758782c5edb4c67d0da9e47586a624c22f7 , < fc9ce762525e73438d31b613f18bca92a4d3d578 (git)
Affected: 13940cef95491472760ca261b6713692ece9b946 , < d009ff8959d28d2a33aeb96a5f7e7161c421d78f (git)
Affected: 13940cef95491472760ca261b6713692ece9b946 , < 9aee8de970f18c2aaaa348e3de86c38e2d956c1d (git)
Affected: 0c8a1d2afd0dce0ea9257ab8c2271d8db6cb575d (git)
Affected: 6c627bcc1896ba62ec793d0c00da74f3c93ce3ad (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.12.68 , ≤ 6.12.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fc9ce762525e73438d31b613f18bca92a4d3d578",
              "status": "affected",
              "version": "92075758782c5edb4c67d0da9e47586a624c22f7",
              "versionType": "git"
            },
            {
              "lessThan": "d009ff8959d28d2a33aeb96a5f7e7161c421d78f",
              "status": "affected",
              "version": "13940cef95491472760ca261b6713692ece9b946",
              "versionType": "git"
            },
            {
              "lessThan": "9aee8de970f18c2aaaa348e3de86c38e2d956c1d",
              "status": "affected",
              "version": "13940cef95491472760ca261b6713692ece9b946",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0c8a1d2afd0dce0ea9257ab8c2271d8db6cb575d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6c627bcc1896ba62ec793d0c00da74f3c93ce3ad",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/exfat/namei.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.68",
                  "versionStartIncluding": "6.12.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.12.59",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix refcount leak in exfat_find\n\nFix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`.\n\nFunction `exfat_get_dentry_set` would increase the reference counter of\n`es-\u003ebh` on success. Therefore, `exfat_put_dentry_set` must be called\nafter `exfat_get_dentry_set` to ensure refcount consistency. This patch\nrelocate two checks to avoid possible leaks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-30T15:35:37.238Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fc9ce762525e73438d31b613f18bca92a4d3d578"
        },
        {
          "url": "https://git.kernel.org/stable/c/d009ff8959d28d2a33aeb96a5f7e7161c421d78f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9aee8de970f18c2aaaa348e3de86c38e2d956c1d"
        }
      ],
      "title": "exfat: fix refcount leak in exfat_find",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68351",
    "datePublished": "2025-12-24T10:32:42.683Z",
    "dateReserved": "2025-12-16T14:48:05.300Z",
    "dateUpdated": "2026-01-30T15:35:37.238Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40262 (GCVE-0-2025-40262)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:39

Title

Input: imx_sc_key - fix memory corruption on unload

Summary

In the Linux kernel, the following vulnerability has been resolved: Input: imx_sc_key - fix memory corruption on unload This is supposed to be "priv" but we accidentally pass "&priv" which is an address in the stack and so it will lead to memory corruption when the imx_sc_key_action() function is called. Remove the &.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3e96803b169dc9488…
	https://git.kernel.org/stable/c/4ce5218b101205b34…
	https://git.kernel.org/stable/c/a155292c3ce722036…
	https://git.kernel.org/stable/c/ca9a08de9b2944223…
	https://git.kernel.org/stable/c/56881294915a6e866…
	https://git.kernel.org/stable/c/6524a15d33951b18a…
	https://git.kernel.org/stable/c/d83f1512758f4ef6f…

Impacted products

Vendor

Product

Version

Linux

Affected: 768062fd1284529212daffd360314e9aa93abb62 , < 3e96803b169dc948847f0fc2bae729a80914eb7b (git)
Affected: 768062fd1284529212daffd360314e9aa93abb62 , < 4ce5218b101205b3425099fe3df88a61b58f9cc2 (git)
Affected: 768062fd1284529212daffd360314e9aa93abb62 , < a155292c3ce722036014da5477ee0e4c87b5e6b3 (git)
Affected: 768062fd1284529212daffd360314e9aa93abb62 , < ca9a08de9b294422376f47ade323d69590dbc6f2 (git)
Affected: 768062fd1284529212daffd360314e9aa93abb62 , < 56881294915a6e866d31a46f9bcb5e19167cfbaa (git)
Affected: 768062fd1284529212daffd360314e9aa93abb62 , < 6524a15d33951b18ac408ebbcb9c16e14e21c336 (git)
Affected: 768062fd1284529212daffd360314e9aa93abb62 , < d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4 (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/input/keyboard/imx_sc_key.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3e96803b169dc948847f0fc2bae729a80914eb7b",
              "status": "affected",
              "version": "768062fd1284529212daffd360314e9aa93abb62",
              "versionType": "git"
            },
            {
              "lessThan": "4ce5218b101205b3425099fe3df88a61b58f9cc2",
              "status": "affected",
              "version": "768062fd1284529212daffd360314e9aa93abb62",
              "versionType": "git"
            },
            {
              "lessThan": "a155292c3ce722036014da5477ee0e4c87b5e6b3",
              "status": "affected",
              "version": "768062fd1284529212daffd360314e9aa93abb62",
              "versionType": "git"
            },
            {
              "lessThan": "ca9a08de9b294422376f47ade323d69590dbc6f2",
              "status": "affected",
              "version": "768062fd1284529212daffd360314e9aa93abb62",
              "versionType": "git"
            },
            {
              "lessThan": "56881294915a6e866d31a46f9bcb5e19167cfbaa",
              "status": "affected",
              "version": "768062fd1284529212daffd360314e9aa93abb62",
              "versionType": "git"
            },
            {
              "lessThan": "6524a15d33951b18ac408ebbcb9c16e14e21c336",
              "status": "affected",
              "version": "768062fd1284529212daffd360314e9aa93abb62",
              "versionType": "git"
            },
            {
              "lessThan": "d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4",
              "status": "affected",
              "version": "768062fd1284529212daffd360314e9aa93abb62",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/input/keyboard/imx_sc_key.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: imx_sc_key - fix memory corruption on unload\n\nThis is supposed to be \"priv\" but we accidentally pass \"\u0026priv\" which is\nan address in the stack and so it will lead to memory corruption when\nthe imx_sc_key_action() function is called.  Remove the \u0026."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:39:03.159Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3e96803b169dc948847f0fc2bae729a80914eb7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ce5218b101205b3425099fe3df88a61b58f9cc2"
        },
        {
          "url": "https://git.kernel.org/stable/c/a155292c3ce722036014da5477ee0e4c87b5e6b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca9a08de9b294422376f47ade323d69590dbc6f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/56881294915a6e866d31a46f9bcb5e19167cfbaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/6524a15d33951b18ac408ebbcb9c16e14e21c336"
        },
        {
          "url": "https://git.kernel.org/stable/c/d83f1512758f4ef6fc5e83219fe7eeeb6b428ea4"
        }
      ],
      "title": "Input: imx_sc_key - fix memory corruption on unload",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40262",
    "datePublished": "2025-12-04T16:08:22.043Z",
    "dateReserved": "2025-04-16T07:20:57.182Z",
    "dateUpdated": "2025-12-06T21:39:03.159Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40355 (GCVE-0-2025-40355)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-16 13:30

Title

sysfs: check visibility before changing group attribute ownership

Summary

In the Linux kernel, the following vulnerability has been resolved: sysfs: check visibility before changing group attribute ownership Since commit 0c17270f9b92 ("net: sysfs: Implement is_visible for phys_(port_id, port_name, switch_id)"), __dev_change_net_namespace() can hit WARN_ON() when trying to change owner of a file that isn't visible. See the trace below: WARNING: CPU: 6 PID: 2938 at net/core/dev.c:12410 __dev_change_net_namespace+0xb89/0xc30 CPU: 6 UID: 0 PID: 2938 Comm: incusd Not tainted 6.17.1-1-mainline #1 PREEMPT(full) 4b783b4a638669fb644857f484487d17cb45ed1f Hardware name: Framework Laptop 13 (AMD Ryzen 7040Series)/FRANMDCP07, BIOS 03.07 02/19/2025 RIP: 0010:__dev_change_net_namespace+0xb89/0xc30 [...] Call Trace: <TASK> ? if6_seq_show+0x30/0x50 do_setlink.isra.0+0xc7/0x1270 ? __nla_validate_parse+0x5c/0xcc0 ? security_capable+0x94/0x1a0 rtnl_newlink+0x858/0xc20 ? update_curr+0x8e/0x1c0 ? update_entity_lag+0x71/0x80 ? sched_balance_newidle+0x358/0x450 ? psi_task_switch+0x113/0x2a0 ? __pfx_rtnl_newlink+0x10/0x10 rtnetlink_rcv_msg+0x346/0x3e0 ? sched_clock+0x10/0x30 ? __pfx_rtnetlink_rcv_msg+0x10/0x10 netlink_rcv_skb+0x59/0x110 netlink_unicast+0x285/0x3c0 ? __alloc_skb+0xdb/0x1a0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x39f/0x3d0 ? import_iovec+0x2f/0x40 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x81/0x970 ? __sys_bind+0xe3/0x110 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? sock_alloc_file+0x63/0xc0 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? alloc_fd+0x12e/0x190 ? put_unused_fd+0x2a/0x70 ? do_sys_openat2+0xa2/0xe0 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] </TASK> Fix this by checking is_visible() before trying to touch the attribute.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ac2c526e103285d80…
	https://git.kernel.org/stable/c/c7fbb8218b4ad35fe…

Impacted products

Vendor

Product

Version

Linux

Affected: 303a42769c4c4d8e5e3ad928df87eb36f8c1fa60 , < ac2c526e103285d80a0330b91a318f6c9276d35a (git)
Affected: 303a42769c4c4d8e5e3ad928df87eb36f8c1fa60 , < c7fbb8218b4ad35fec0bd2256d2b9c8d60331f33 (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/sysfs/group.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ac2c526e103285d80a0330b91a318f6c9276d35a",
              "status": "affected",
              "version": "303a42769c4c4d8e5e3ad928df87eb36f8c1fa60",
              "versionType": "git"
            },
            {
              "lessThan": "c7fbb8218b4ad35fec0bd2256d2b9c8d60331f33",
              "status": "affected",
              "version": "303a42769c4c4d8e5e3ad928df87eb36f8c1fa60",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/sysfs/group.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysfs: check visibility before changing group attribute ownership\n\nSince commit 0c17270f9b92 (\"net: sysfs: Implement is_visible for\nphys_(port_id, port_name, switch_id)\"), __dev_change_net_namespace() can\nhit WARN_ON() when trying to change owner of a file that isn\u0027t visible.\nSee the trace below:\n\n WARNING: CPU: 6 PID: 2938 at net/core/dev.c:12410 __dev_change_net_namespace+0xb89/0xc30\n CPU: 6 UID: 0 PID: 2938 Comm: incusd Not tainted 6.17.1-1-mainline #1 PREEMPT(full)  4b783b4a638669fb644857f484487d17cb45ed1f\n Hardware name: Framework Laptop 13 (AMD Ryzen 7040Series)/FRANMDCP07, BIOS 03.07 02/19/2025\n RIP: 0010:__dev_change_net_namespace+0xb89/0xc30\n [...]\n Call Trace:\n  \u003cTASK\u003e\n  ? if6_seq_show+0x30/0x50\n  do_setlink.isra.0+0xc7/0x1270\n  ? __nla_validate_parse+0x5c/0xcc0\n  ? security_capable+0x94/0x1a0\n  rtnl_newlink+0x858/0xc20\n  ? update_curr+0x8e/0x1c0\n  ? update_entity_lag+0x71/0x80\n  ? sched_balance_newidle+0x358/0x450\n  ? psi_task_switch+0x113/0x2a0\n  ? __pfx_rtnl_newlink+0x10/0x10\n  rtnetlink_rcv_msg+0x346/0x3e0\n  ? sched_clock+0x10/0x30\n  ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n  netlink_rcv_skb+0x59/0x110\n  netlink_unicast+0x285/0x3c0\n  ? __alloc_skb+0xdb/0x1a0\n  netlink_sendmsg+0x20d/0x430\n  ____sys_sendmsg+0x39f/0x3d0\n  ? import_iovec+0x2f/0x40\n  ___sys_sendmsg+0x99/0xe0\n  __sys_sendmsg+0x8a/0xf0\n  do_syscall_64+0x81/0x970\n  ? __sys_bind+0xe3/0x110\n  ? syscall_exit_work+0x143/0x1b0\n  ? do_syscall_64+0x244/0x970\n  ? sock_alloc_file+0x63/0xc0\n  ? syscall_exit_work+0x143/0x1b0\n  ? do_syscall_64+0x244/0x970\n  ? alloc_fd+0x12e/0x190\n  ? put_unused_fd+0x2a/0x70\n  ? do_sys_openat2+0xa2/0xe0\n  ? syscall_exit_work+0x143/0x1b0\n  ? do_syscall_64+0x244/0x970\n  ? exc_page_fault+0x7e/0x1a0\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n  \u003c/TASK\u003e\n\nFix this by checking is_visible() before trying to touch the attribute."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:30:28.017Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ac2c526e103285d80a0330b91a318f6c9276d35a"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7fbb8218b4ad35fec0bd2256d2b9c8d60331f33"
        }
      ],
      "title": "sysfs: check visibility before changing group attribute ownership",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40355",
    "datePublished": "2025-12-16T13:30:28.017Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-16T13:30:28.017Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49272 (GCVE-0-2022-49272)

Vulnerability from cvelistv5 – Published: 2025-02-26 01:56 – Updated: 2025-05-04 08:33

Title

ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock syzbot caught a potential deadlock between the PCM runtime->buffer_mutex and the mm->mmap_lock. It was brought by the recent fix to cover the racy read/write and other ioctls, and in that commit, I overlooked a (hopefully only) corner case that may take the revert lock, namely, the OSS mmap. The OSS mmap operation exceptionally allows to re-configure the parameters inside the OSS mmap syscall, where mm->mmap_mutex is already held. Meanwhile, the copy_from/to_user calls at read/write operations also take the mm->mmap_lock internally, hence it may lead to a AB/BA deadlock. A similar problem was already seen in the past and we fixed it with a refcount (in commit b248371628aa). The former fix covered only the call paths with OSS read/write and OSS ioctls, while we need to cover the concurrent access via both ALSA and OSS APIs now. This patch addresses the problem above by replacing the buffer_mutex lock in the read/write operations with a refcount similar as we've used for OSS. The new field, runtime->buffer_accessing, keeps the number of concurrent read/write operations. Unlike the former buffer_mutex protection, this protects only around the copy_from/to_user() calls; the other codes are basically protected by the PCM stream lock. The refcount can be a negative, meaning blocked by the ioctls. If a negative value is seen, the read/write aborts with -EBUSY. In the ioctl side, OTOH, they check this refcount, too, and set to a negative value for blocking unless it's already being accessed.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7e9133607e1501c94…
	https://git.kernel.org/stable/c/40f4cffbe13a51faf…
	https://git.kernel.org/stable/c/9661bf674d6a82b76…
	https://git.kernel.org/stable/c/9017201e8d8c6d147…
	https://git.kernel.org/stable/c/7777744e92a0b30e3…
	https://git.kernel.org/stable/c/abedf0d08c79d76da…
	https://git.kernel.org/stable/c/be9813ad2fc8f0885…
	https://git.kernel.org/stable/c/bc55cfd5718c7c23e…

Impacted products

Vendor

Product

Version

Linux

Affected: 73867cb2bc7dfa7fbd219e53a0b68d253d8fda09 , < 7e9133607e1501c94881be35e118d8f84d96dcb4 (git)
Affected: b3830197aa7413c65767cf5a1aa8775c83f0dbf7 , < 40f4cffbe13a51faf136faf5f9ef6847782cd595 (git)
Affected: 08d1807f097a63ea00a7067dad89c1c81cb2115e , < 9661bf674d6a82b76e4ae424438a8ce1e3ed855d (git)
Affected: 8527c8f052fb42091c6569cb928e472376a4a889 , < 9017201e8d8c6d1472273361389ed431188584a0 (git)
Affected: 47711ff10c7e126702cfa725f6d86ef529d15a5f , < 7777744e92a0b30e3e0cce2758d911837011ebd9 (git)
Affected: 4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5 , < abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e (git)
Affected: dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03 , < be9813ad2fc8f0885f5ce6925af0d993ce5da4e5 (git)
Affected: dca947d4d26dbf925a64a6cfb2ddbc035e831a3d , < bc55cfd5718c7c23e5524582e9fa70b4d10f2433 (git)

Linux

Affected: 5.10.109 , < 5.10.110 (semver)
Affected: 5.15.32 , < 5.15.33 (semver)
Affected: 5.16.18 , < 5.16.19 (semver)
Affected: 5.17.1 , < 5.17.2 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/sound/pcm.h",
            "sound/core/pcm.c",
            "sound/core/pcm_lib.c",
            "sound/core/pcm_native.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7e9133607e1501c94881be35e118d8f84d96dcb4",
              "status": "affected",
              "version": "73867cb2bc7dfa7fbd219e53a0b68d253d8fda09",
              "versionType": "git"
            },
            {
              "lessThan": "40f4cffbe13a51faf136faf5f9ef6847782cd595",
              "status": "affected",
              "version": "b3830197aa7413c65767cf5a1aa8775c83f0dbf7",
              "versionType": "git"
            },
            {
              "lessThan": "9661bf674d6a82b76e4ae424438a8ce1e3ed855d",
              "status": "affected",
              "version": "08d1807f097a63ea00a7067dad89c1c81cb2115e",
              "versionType": "git"
            },
            {
              "lessThan": "9017201e8d8c6d1472273361389ed431188584a0",
              "status": "affected",
              "version": "8527c8f052fb42091c6569cb928e472376a4a889",
              "versionType": "git"
            },
            {
              "lessThan": "7777744e92a0b30e3e0cce2758d911837011ebd9",
              "status": "affected",
              "version": "47711ff10c7e126702cfa725f6d86ef529d15a5f",
              "versionType": "git"
            },
            {
              "lessThan": "abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e",
              "status": "affected",
              "version": "4d1b0ace2d56dc27cc4921eda7fae57f77f03eb5",
              "versionType": "git"
            },
            {
              "lessThan": "be9813ad2fc8f0885f5ce6925af0d993ce5da4e5",
              "status": "affected",
              "version": "dd2f8c684da3e226e5ec7a81c89ff5fd4a957a03",
              "versionType": "git"
            },
            {
              "lessThan": "bc55cfd5718c7c23e5524582e9fa70b4d10f2433",
              "status": "affected",
              "version": "dca947d4d26dbf925a64a6cfb2ddbc035e831a3d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/sound/pcm.h",
            "sound/core/pcm.c",
            "sound/core/pcm_lib.c",
            "sound/core/pcm_native.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5.10.110",
              "status": "affected",
              "version": "5.10.109",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.33",
              "status": "affected",
              "version": "5.15.32",
              "versionType": "semver"
            },
            {
              "lessThan": "5.16.19",
              "status": "affected",
              "version": "5.16.18",
              "versionType": "semver"
            },
            {
              "lessThan": "5.17.2",
              "status": "affected",
              "version": "5.17.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.110",
                  "versionStartIncluding": "5.10.109",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.33",
                  "versionStartIncluding": "5.15.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.19",
                  "versionStartIncluding": "5.16.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.2",
                  "versionStartIncluding": "5.17.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock\n\nsyzbot caught a potential deadlock between the PCM\nruntime-\u003ebuffer_mutex and the mm-\u003emmap_lock.  It was brought by the\nrecent fix to cover the racy read/write and other ioctls, and in that\ncommit, I overlooked a (hopefully only) corner case that may take the\nrevert lock, namely, the OSS mmap.  The OSS mmap operation\nexceptionally allows to re-configure the parameters inside the OSS\nmmap syscall, where mm-\u003emmap_mutex is already held.  Meanwhile, the\ncopy_from/to_user calls at read/write operations also take the\nmm-\u003emmap_lock internally, hence it may lead to a AB/BA deadlock.\n\nA similar problem was already seen in the past and we fixed it with a\nrefcount (in commit b248371628aa).  The former fix covered only the\ncall paths with OSS read/write and OSS ioctls, while we need to cover\nthe concurrent access via both ALSA and OSS APIs now.\n\nThis patch addresses the problem above by replacing the buffer_mutex\nlock in the read/write operations with a refcount similar as we\u0027ve\nused for OSS.  The new field, runtime-\u003ebuffer_accessing, keeps the\nnumber of concurrent read/write operations.  Unlike the former\nbuffer_mutex protection, this protects only around the\ncopy_from/to_user() calls; the other codes are basically protected by\nthe PCM stream lock.  The refcount can be a negative, meaning blocked\nby the ioctls.  If a negative value is seen, the read/write aborts\nwith -EBUSY.  In the ioctl side, OTOH, they check this refcount, too,\nand set to a negative value for blocking unless it\u0027s already being\naccessed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:33:54.705Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7e9133607e1501c94881be35e118d8f84d96dcb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/40f4cffbe13a51faf136faf5f9ef6847782cd595"
        },
        {
          "url": "https://git.kernel.org/stable/c/9661bf674d6a82b76e4ae424438a8ce1e3ed855d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9017201e8d8c6d1472273361389ed431188584a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/7777744e92a0b30e3e0cce2758d911837011ebd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/abedf0d08c79d76da0d6fa0d5dbbc98871dcbc2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/be9813ad2fc8f0885f5ce6925af0d993ce5da4e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc55cfd5718c7c23e5524582e9fa70b4d10f2433"
        }
      ],
      "title": "ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49272",
    "datePublished": "2025-02-26T01:56:18.626Z",
    "dateReserved": "2025-02-26T01:49:39.297Z",
    "dateUpdated": "2025-05-04T08:33:54.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40272 (GCVE-0-2025-40272)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2025-12-06 21:50

Title

mm/secretmem: fix use-after-free race in fault handler

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bb1c19636aedae393…
	https://git.kernel.org/stable/c/1e4643d6628edf9c0…
	https://git.kernel.org/stable/c/42d486d35a4143cc3…
	https://git.kernel.org/stable/c/52f2d5cf33de9a8f5…
	https://git.kernel.org/stable/c/4444767e625da4600…
	https://git.kernel.org/stable/c/6f86d0534fddfbd08…

Impacted products

Vendor

Product

Version

Linux

Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < bb1c19636aedae39360e6fdbcaef4f2bcff25785 (git)
Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 1e4643d6628edf9c0047b1f8f5bc574665025acb (git)
Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 42d486d35a4143cc37fc72ee66edc99d942dd367 (git)
Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649 (git)
Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 4444767e625da46009fc94a453fd1967b80ba047 (git)
Affected: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 , < 6f86d0534fddfbd08687fa0f01479d4226bc3c3d (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/secretmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bb1c19636aedae39360e6fdbcaef4f2bcff25785",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            },
            {
              "lessThan": "1e4643d6628edf9c0047b1f8f5bc574665025acb",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            },
            {
              "lessThan": "42d486d35a4143cc37fc72ee66edc99d942dd367",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            },
            {
              "lessThan": "52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            },
            {
              "lessThan": "4444767e625da46009fc94a453fd1967b80ba047",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            },
            {
              "lessThan": "6f86d0534fddfbd08687fa0f01479d4226bc3c3d",
              "status": "affected",
              "version": "1507f51255c9ff07d75909a84e7c0d7f3c4b2f49",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/secretmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix use-after-free race in fault handler\n\nWhen a page fault occurs in a secret memory file created with\n`memfd_secret(2)`, the kernel will allocate a new folio for it, mark the\nunderlying page as not-present in the direct map, and add it to the file\nmapping.\n\nIf two tasks cause a fault in the same page concurrently, both could end\nup allocating a folio and removing the page from the direct map, but only\none would succeed in adding the folio to the file mapping.  The task that\nfailed undoes the effects of its attempt by (a) freeing the folio again\nand (b) putting the page back into the direct map.  However, by doing\nthese two operations in this order, the page becomes available to the\nallocator again before it is placed back in the direct mapping.\n\nIf another task attempts to allocate the page between (a) and (b), and the\nkernel tries to access it via the direct map, it would result in a\nsupervisor not-present page fault.\n\nFix the ordering to restore the direct map before the folio is freed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:50:54.629Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bb1c19636aedae39360e6fdbcaef4f2bcff25785"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e4643d6628edf9c0047b1f8f5bc574665025acb"
        },
        {
          "url": "https://git.kernel.org/stable/c/42d486d35a4143cc37fc72ee66edc99d942dd367"
        },
        {
          "url": "https://git.kernel.org/stable/c/52f2d5cf33de9a8f5e72bbb0ed38282ae0bc4649"
        },
        {
          "url": "https://git.kernel.org/stable/c/4444767e625da46009fc94a453fd1967b80ba047"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f86d0534fddfbd08687fa0f01479d4226bc3c3d"
        }
      ],
      "title": "mm/secretmem: fix use-after-free race in fault handler",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40272",
    "datePublished": "2025-12-06T21:50:54.629Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2025-12-06T21:50:54.629Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40293 (GCVE-0-2025-40293)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

iommufd: Don't overflow during division for dirty tracking

Summary

In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/07105e61882ff4a7d…
	https://git.kernel.org/stable/c/4c8a4f1d34eced168…
	https://git.kernel.org/stable/c/de7f2c67ceb1941b0…
	https://git.kernel.org/stable/c/dbf316fc90aa954dc…
	https://git.kernel.org/stable/c/cb30dfa75d55eced3…

Impacted products

Vendor

Product

Version

Linux

Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < 07105e61882ff4a7d58db63cc5f9e90c6c60506c (git)
Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < 4c8a4f1d34eced168cc0b3a3dfe7b6dcc2090f69 (git)
Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < de7f2c67ceb1941b05b04ac35458a03e93cc57b1 (git)
Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < dbf316fc90aa954dcd5440817f4b944627ed63e0 (git)
Affected: 58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 , < cb30dfa75d55eced379a42fd67bd5fb7ec38555e (git)

Linux

Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommufd/iova_bitmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "07105e61882ff4a7d58db63cc5f9e90c6c60506c",
              "status": "affected",
              "version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
              "versionType": "git"
            },
            {
              "lessThan": "4c8a4f1d34eced168cc0b3a3dfe7b6dcc2090f69",
              "status": "affected",
              "version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
              "versionType": "git"
            },
            {
              "lessThan": "de7f2c67ceb1941b05b04ac35458a03e93cc57b1",
              "status": "affected",
              "version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
              "versionType": "git"
            },
            {
              "lessThan": "dbf316fc90aa954dcd5440817f4b944627ed63e0",
              "status": "affected",
              "version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
              "versionType": "git"
            },
            {
              "lessThan": "cb30dfa75d55eced379a42fd67bd5fb7ec38555e",
              "status": "affected",
              "version": "58ccf0190d19d9a8a41f8a02b9e06742b58df4a1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommufd/iova_bitmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Don\u0027t overflow during division for dirty tracking\n\nIf pgshift is 63 then BITS_PER_TYPE(*bitmap-\u003ebitmap) * pgsize will overflow\nto 0 and this triggers divide by 0.\n\nIn this case the index should just be 0, so reorganize things to divide\nby shift and avoid hitting any overflows."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:16.850Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/07105e61882ff4a7d58db63cc5f9e90c6c60506c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c8a4f1d34eced168cc0b3a3dfe7b6dcc2090f69"
        },
        {
          "url": "https://git.kernel.org/stable/c/de7f2c67ceb1941b05b04ac35458a03e93cc57b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbf316fc90aa954dcd5440817f4b944627ed63e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb30dfa75d55eced379a42fd67bd5fb7ec38555e"
        }
      ],
      "title": "iommufd: Don\u0027t overflow during division for dirty tracking",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40293",
    "datePublished": "2025-12-08T00:46:16.850Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2025-12-08T00:46:16.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68230 (GCVE-0-2025-68230)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-01-02 15:34

Title

drm/amdgpu: fix gpu page fault after hibernation on PF passthrough

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix gpu page fault after hibernation on PF passthrough On PF passthrough environment, after hibernate and then resume, coralgemm will cause gpu page fault. Mode1 reset happens during hibernate, but partition mode is not restored on resume, register mmCP_HYP_XCP_CTL and mmCP_PSP_XCP_CTL is not right after resume. When CP access the MQD BO, wrong stride size is used, this will cause out of bound access on the MQD BO, resulting page fault. The fix is to ensure gfx_v9_4_3_switch_compute_partition() is called when resume from a hibernation. KFD resume is called separately during a reset recovery or resume from suspend sequence. Hence it's not required to be called as part of partition switch. (cherry picked from commit 5d1b32cfe4a676fe552416cb5ae847b215463a1a)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a45d6359eefb41e08…
	https://git.kernel.org/stable/c/eef72d856f978955e…
	https://git.kernel.org/stable/c/eb6e7f520d6efa4d4…

Impacted products

Vendor

Product

Version

Linux

Affected: 955220b04d42c41050158fec0f53957f320b96f9 , < a45d6359eefb41e08d374a3260b10bff5626823b (git)
Affected: 955220b04d42c41050158fec0f53957f320b96f9 , < eef72d856f978955e633c270abb1f7ec7b61c6d2 (git)
Affected: 955220b04d42c41050158fec0f53957f320b96f9 , < eb6e7f520d6efa4d4ebf1671455abe4a681f7a05 (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c",
            "drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a45d6359eefb41e08d374a3260b10bff5626823b",
              "status": "affected",
              "version": "955220b04d42c41050158fec0f53957f320b96f9",
              "versionType": "git"
            },
            {
              "lessThan": "eef72d856f978955e633c270abb1f7ec7b61c6d2",
              "status": "affected",
              "version": "955220b04d42c41050158fec0f53957f320b96f9",
              "versionType": "git"
            },
            {
              "lessThan": "eb6e7f520d6efa4d4ebf1671455abe4a681f7a05",
              "status": "affected",
              "version": "955220b04d42c41050158fec0f53957f320b96f9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c",
            "drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix gpu page fault after hibernation on PF passthrough\n\nOn PF passthrough environment, after hibernate and then resume, coralgemm\nwill cause gpu page fault.\n\nMode1 reset happens during hibernate, but partition mode is not restored\non resume, register mmCP_HYP_XCP_CTL and mmCP_PSP_XCP_CTL is not right\nafter resume. When CP access the MQD BO, wrong stride size is used,\nthis will cause out of bound access on the MQD BO, resulting page fault.\n\nThe fix is to ensure gfx_v9_4_3_switch_compute_partition() is called\nwhen resume from a hibernation.\nKFD resume is called separately during a reset recovery or resume from\nsuspend sequence. Hence it\u0027s not required to be called as part of\npartition switch.\n\n(cherry picked from commit 5d1b32cfe4a676fe552416cb5ae847b215463a1a)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:28.895Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a45d6359eefb41e08d374a3260b10bff5626823b"
        },
        {
          "url": "https://git.kernel.org/stable/c/eef72d856f978955e633c270abb1f7ec7b61c6d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb6e7f520d6efa4d4ebf1671455abe4a681f7a05"
        }
      ],
      "title": "drm/amdgpu: fix gpu page fault after hibernation on PF passthrough",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68230",
    "datePublished": "2025-12-16T13:57:22.787Z",
    "dateReserved": "2025-12-16T13:41:40.258Z",
    "dateUpdated": "2026-01-02T15:34:28.895Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-54170 (GCVE-0-2023-54170)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08

Title

keys: Fix linking a duplicate key to a keyring's assoc_array

Summary

In the Linux kernel, the following vulnerability has been resolved: keys: Fix linking a duplicate key to a keyring's assoc_array When making a DNS query inside the kernel using dns_query(), the request code can in rare cases end up creating a duplicate index key in the assoc_array of the destination keyring. It is eventually found by a BUG_ON() check in the assoc_array implementation and results in a crash. Example report: [2158499.700025] kernel BUG at ../lib/assoc_array.c:652! [2158499.700039] invalid opcode: 0000 [#1] SMP PTI [2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 [2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] [2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 [2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f [2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 [2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 [2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 [2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 [2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 [2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 [2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 [2158499.700702] Call Trace: [2158499.700741] ? key_alloc+0x447/0x4b0 [2158499.700768] ? __key_link_begin+0x43/0xa0 [2158499.700790] __key_link_begin+0x43/0xa0 [2158499.700814] request_key_and_link+0x2c7/0x730 [2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] [2158499.700873] ? key_default_cmp+0x20/0x20 [2158499.700898] request_key_tag+0x43/0xa0 [2158499.700926] dns_query+0x114/0x2ca [dns_resolver] [2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] [2158499.701164] ? scnprintf+0x49/0x90 [2158499.701190] ? __switch_to_asm+0x40/0x70 [2158499.701211] ? __switch_to_asm+0x34/0x70 [2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] [2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] [2158499.701632] process_one_work+0x1f8/0x3e0 [2158499.701658] worker_thread+0x2d/0x3f0 [2158499.701682] ? process_one_work+0x3e0/0x3e0 [2158499.701703] kthread+0x10d/0x130 [2158499.701723] ? kthread_park+0xb0/0xb0 [2158499.701746] ret_from_fork+0x1f/0x40 The situation occurs as follows: * Some kernel facility invokes dns_query() to resolve a hostname, for example, "abcdef". The function registers its global DNS resolver cache as current->cred.thread_keyring and passes the query to request_key_net() -> request_key_tag() -> request_key_and_link(). * Function request_key_and_link() creates a keyring_search_context object. Its match_data.cmp method gets set via a call to type->match_preparse() (resolves to dns_resolver_match_preparse()) to dns_resolver_cmp(). * Function request_key_and_link() continues and invokes search_process_keyrings_rcu() which returns that a given key was not found. The control is then passed to request_key_and_link() -> construct_alloc_key(). * Concurrently to that, a second task similarly makes a DNS query for "abcdef." and its result gets inserted into the DNS resolver cache. * Back on the first task, function construct_alloc_key() first runs __key_link_begin() to determine an assoc_array_edit operation to insert a new key. Index keys in the array are compared exactly as-is, using keyring_compare_object(). The operation ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/65bd66a794bfa0593…
	https://git.kernel.org/stable/c/0a6b0ca58685be349…
	https://git.kernel.org/stable/c/9aecfebea24fe6071…
	https://git.kernel.org/stable/c/00edfa6d4fe022942…
	https://git.kernel.org/stable/c/e091bb55af9a93080…
	https://git.kernel.org/stable/c/d55901522f96082a4…

Impacted products

Vendor

Product

Version

Linux

Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < 65bd66a794bfa059375ec834885bb610d75c0182 (git)
Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < 0a6b0ca58685be34979236f83f2b322635b80b32 (git)
Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < 9aecfebea24fe6071ace5cc9fd6d690b87276bbb (git)
Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < 00edfa6d4fe022942e2f2e6f3294ff13ef78b15c (git)
Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < e091bb55af9a930801f83df78195a908a76e1479 (git)
Affected: df593ee23e05cdda16c8c995e5818779431bb29f , < d55901522f96082a43b9842d34867363c0cdbac5 (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 5.4.253 , ≤ 5.4.* (semver)
Unaffected: 5.10.188 , ≤ 5.10.* (semver)
Unaffected: 5.15.123 , ≤ 5.15.* (semver)
Unaffected: 6.1.42 , ≤ 6.1.* (semver)
Unaffected: 6.4.7 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/keys/request_key.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "65bd66a794bfa059375ec834885bb610d75c0182",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            },
            {
              "lessThan": "0a6b0ca58685be34979236f83f2b322635b80b32",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            },
            {
              "lessThan": "9aecfebea24fe6071ace5cc9fd6d690b87276bbb",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            },
            {
              "lessThan": "00edfa6d4fe022942e2f2e6f3294ff13ef78b15c",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            },
            {
              "lessThan": "e091bb55af9a930801f83df78195a908a76e1479",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            },
            {
              "lessThan": "d55901522f96082a43b9842d34867363c0cdbac5",
              "status": "affected",
              "version": "df593ee23e05cdda16c8c995e5818779431bb29f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/keys/request_key.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.188",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.123",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.253",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.188",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.123",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.42",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.7",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkeys: Fix linking a duplicate key to a keyring\u0027s assoc_array\n\nWhen making a DNS query inside the kernel using dns_query(), the request\ncode can in rare cases end up creating a duplicate index key in the\nassoc_array of the destination keyring. It is eventually found by\na BUG_ON() check in the assoc_array implementation and results in\na crash.\n\nExample report:\n[2158499.700025] kernel BUG at ../lib/assoc_array.c:652!\n[2158499.700039] invalid opcode: 0000 [#1] SMP PTI\n[2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3\n[2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs]\n[2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40\n[2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff \u003c0f\u003e 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f\n[2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282\n[2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005\n[2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000\n[2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000\n[2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28\n[2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740\n[2158499.700585] FS:  0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000\n[2158499.700610] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0\n[2158499.700702] Call Trace:\n[2158499.700741]  ? key_alloc+0x447/0x4b0\n[2158499.700768]  ? __key_link_begin+0x43/0xa0\n[2158499.700790]  __key_link_begin+0x43/0xa0\n[2158499.700814]  request_key_and_link+0x2c7/0x730\n[2158499.700847]  ? dns_resolver_read+0x20/0x20 [dns_resolver]\n[2158499.700873]  ? key_default_cmp+0x20/0x20\n[2158499.700898]  request_key_tag+0x43/0xa0\n[2158499.700926]  dns_query+0x114/0x2ca [dns_resolver]\n[2158499.701127]  dns_resolve_server_name_to_ip+0x194/0x310 [cifs]\n[2158499.701164]  ? scnprintf+0x49/0x90\n[2158499.701190]  ? __switch_to_asm+0x40/0x70\n[2158499.701211]  ? __switch_to_asm+0x34/0x70\n[2158499.701405]  reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs]\n[2158499.701603]  cifs_resolve_server+0x4b/0xd0 [cifs]\n[2158499.701632]  process_one_work+0x1f8/0x3e0\n[2158499.701658]  worker_thread+0x2d/0x3f0\n[2158499.701682]  ? process_one_work+0x3e0/0x3e0\n[2158499.701703]  kthread+0x10d/0x130\n[2158499.701723]  ? kthread_park+0xb0/0xb0\n[2158499.701746]  ret_from_fork+0x1f/0x40\n\nThe situation occurs as follows:\n* Some kernel facility invokes dns_query() to resolve a hostname, for\n  example, \"abcdef\". The function registers its global DNS resolver\n  cache as current-\u003ecred.thread_keyring and passes the query to\n  request_key_net() -\u003e request_key_tag() -\u003e request_key_and_link().\n* Function request_key_and_link() creates a keyring_search_context\n  object. Its match_data.cmp method gets set via a call to\n  type-\u003ematch_preparse() (resolves to dns_resolver_match_preparse()) to\n  dns_resolver_cmp().\n* Function request_key_and_link() continues and invokes\n  search_process_keyrings_rcu() which returns that a given key was not\n  found. The control is then passed to request_key_and_link() -\u003e\n  construct_alloc_key().\n* Concurrently to that, a second task similarly makes a DNS query for\n  \"abcdef.\" and its result gets inserted into the DNS resolver cache.\n* Back on the first task, function construct_alloc_key() first runs\n  __key_link_begin() to determine an assoc_array_edit operation to\n  insert a new key. Index keys in the array are compared exactly as-is,\n  using keyring_compare_object(). The operation \n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:08:44.763Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/65bd66a794bfa059375ec834885bb610d75c0182"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a6b0ca58685be34979236f83f2b322635b80b32"
        },
        {
          "url": "https://git.kernel.org/stable/c/9aecfebea24fe6071ace5cc9fd6d690b87276bbb"
        },
        {
          "url": "https://git.kernel.org/stable/c/00edfa6d4fe022942e2f2e6f3294ff13ef78b15c"
        },
        {
          "url": "https://git.kernel.org/stable/c/e091bb55af9a930801f83df78195a908a76e1479"
        },
        {
          "url": "https://git.kernel.org/stable/c/d55901522f96082a43b9842d34867363c0cdbac5"
        }
      ],
      "title": "keys: Fix linking a duplicate key to a keyring\u0027s assoc_array",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54170",
    "datePublished": "2025-12-30T12:08:44.763Z",
    "dateReserved": "2025-12-30T12:06:44.496Z",
    "dateUpdated": "2025-12-30T12:08:44.763Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50827 (GCVE-0-2022-50827)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08

Title

scsi: lpfc: Fix memory leak in lpfc_create_port()

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix memory leak in lpfc_create_port() Commit 5e633302ace1 ("scsi: lpfc: vmid: Add support for VMID in mailbox command") introduced allocations for the VMID resources in lpfc_create_port() after the call to scsi_host_alloc(). Upon failure on the VMID allocations, the new code would branch to the 'out' label, which returns NULL without unwinding anything, thus skipping the call to scsi_host_put(). Fix the problem by creating a separate label 'out_free_vmid' to unwind the VMID resources and make the 'out_put_shost' label call only scsi_host_put(), as was done before the introduction of allocations for VMID.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9749595feb33a1a2b…
	https://git.kernel.org/stable/c/5ea1f195f51c2bb59…
	https://git.kernel.org/stable/c/dc8e483f684a24cc0…

Impacted products

Vendor

Product

Version

Linux

Affected: 5e633302ace1f61f8ea5a3ce21e19a4d79126cca , < 9749595feb33a1a2b848800192224ffeed5346b4 (git)
Affected: 5e633302ace1f61f8ea5a3ce21e19a4d79126cca , < 5ea1f195f51c2bb5915ccfb2b2885ca81ce9262b (git)
Affected: 5e633302ace1f61f8ea5a3ce21e19a4d79126cca , < dc8e483f684a24cc06e1d5fa958b54db58855093 (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.76 , ≤ 5.15.* (semver)
Unaffected: 6.0.6 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc_init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9749595feb33a1a2b848800192224ffeed5346b4",
              "status": "affected",
              "version": "5e633302ace1f61f8ea5a3ce21e19a4d79126cca",
              "versionType": "git"
            },
            {
              "lessThan": "5ea1f195f51c2bb5915ccfb2b2885ca81ce9262b",
              "status": "affected",
              "version": "5e633302ace1f61f8ea5a3ce21e19a4d79126cca",
              "versionType": "git"
            },
            {
              "lessThan": "dc8e483f684a24cc06e1d5fa958b54db58855093",
              "status": "affected",
              "version": "5e633302ace1f61f8ea5a3ce21e19a4d79126cca",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc_init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.76",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.6",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix memory leak in lpfc_create_port()\n\nCommit 5e633302ace1 (\"scsi: lpfc: vmid: Add support for VMID in mailbox\ncommand\") introduced allocations for the VMID resources in\nlpfc_create_port() after the call to scsi_host_alloc(). Upon failure on the\nVMID allocations, the new code would branch to the \u0027out\u0027 label, which\nreturns NULL without unwinding anything, thus skipping the call to\nscsi_host_put().\n\nFix the problem by creating a separate label \u0027out_free_vmid\u0027 to unwind the\nVMID resources and make the \u0027out_put_shost\u0027 label call only\nscsi_host_put(), as was done before the introduction of allocations for\nVMID."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:08:39.669Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9749595feb33a1a2b848800192224ffeed5346b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ea1f195f51c2bb5915ccfb2b2885ca81ce9262b"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc8e483f684a24cc06e1d5fa958b54db58855093"
        }
      ],
      "title": "scsi: lpfc: Fix memory leak in lpfc_create_port()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50827",
    "datePublished": "2025-12-30T12:08:39.669Z",
    "dateReserved": "2025-12-30T12:06:07.131Z",
    "dateUpdated": "2025-12-30T12:08:39.669Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40353 (GCVE-0-2025-40353)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2026-01-02 15:33

Title

arm64: mte: Do not warn if the page is already tagged in copy_highpage()

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64: mte: Do not warn if the page is already tagged in copy_highpage() The arm64 copy_highpage() assumes that the destination page is newly allocated and not MTE-tagged (PG_mte_tagged unset) and warns accordingly. However, following commit 060913999d7a ("mm: migrate: support poisoned recover from migrate folio"), folio_mc_copy() is called before __folio_migrate_mapping(). If the latter fails (-EAGAIN), the copy will be done again to the same destination page. Since copy_highpage() already set the PG_mte_tagged flag, this second copy will warn. Replace the WARN_ON_ONCE(page already tagged) in the arm64 copy_highpage() with a comment.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5ff5765a1fc526f07…
	https://git.kernel.org/stable/c/0bbf3fc6e9211fce9…
	https://git.kernel.org/stable/c/b98c94eed4a975e0c…

Impacted products

Vendor

Product

Version

Linux

Affected: 060913999d7a9e50c283fdb15253fc27974ddadc , < 5ff5765a1fc526f07d3bbaedb061d970eb13bcf4 (git)
Affected: 060913999d7a9e50c283fdb15253fc27974ddadc , < 0bbf3fc6e9211fce9889fe8efbb89c220504d617 (git)
Affected: 060913999d7a9e50c283fdb15253fc27974ddadc , < b98c94eed4a975e0c80b7e90a649a46967376f58 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/mm/copypage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5ff5765a1fc526f07d3bbaedb061d970eb13bcf4",
              "status": "affected",
              "version": "060913999d7a9e50c283fdb15253fc27974ddadc",
              "versionType": "git"
            },
            {
              "lessThan": "0bbf3fc6e9211fce9889fe8efbb89c220504d617",
              "status": "affected",
              "version": "060913999d7a9e50c283fdb15253fc27974ddadc",
              "versionType": "git"
            },
            {
              "lessThan": "b98c94eed4a975e0c80b7e90a649a46967376f58",
              "status": "affected",
              "version": "060913999d7a9e50c283fdb15253fc27974ddadc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/mm/copypage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: mte: Do not warn if the page is already tagged in copy_highpage()\n\nThe arm64 copy_highpage() assumes that the destination page is newly\nallocated and not MTE-tagged (PG_mte_tagged unset) and warns\naccordingly. However, following commit 060913999d7a (\"mm: migrate:\nsupport poisoned recover from migrate folio\"), folio_mc_copy() is called\nbefore __folio_migrate_mapping(). If the latter fails (-EAGAIN), the\ncopy will be done again to the same destination page. Since\ncopy_highpage() already set the PG_mte_tagged flag, this second copy\nwill warn.\n\nReplace the WARN_ON_ONCE(page already tagged) in the arm64\ncopy_highpage() with a comment."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:52.663Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5ff5765a1fc526f07d3bbaedb061d970eb13bcf4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0bbf3fc6e9211fce9889fe8efbb89c220504d617"
        },
        {
          "url": "https://git.kernel.org/stable/c/b98c94eed4a975e0c80b7e90a649a46967376f58"
        }
      ],
      "title": "arm64: mte: Do not warn if the page is already tagged in copy_highpage()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40353",
    "datePublished": "2025-12-16T13:30:26.273Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2026-01-02T15:33:52.663Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68252 (GCVE-0-2025-68252)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:32 – Updated: 2025-12-16 14:32

Title

misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup

Summary

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup In fastrpc_map_lookup, dma_buf_get is called to obtain a reference to the dma_buf for comparison purposes. However, this reference is never released when the function returns, leading to a dma_buf memory leak. Fix this by adding dma_buf_put before returning from the function, ensuring that the temporarily acquired reference is properly released regardless of whether a matching map is found. Rule: add

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c2fef5ebb73f3daba…
	https://git.kernel.org/stable/c/9a297a68c3ba4a7ec…
	https://git.kernel.org/stable/c/e17b13387827adce7…
	https://git.kernel.org/stable/c/214e81a63a9aa0be4…
	https://git.kernel.org/stable/c/fff111bf45cbeeb65…

Impacted products

Vendor

Product

Version

Linux

Affected: ec5cb80503bbfee67573699fe52fcf456fd57678 , < c2fef5ebb73f3dabae6fbc571d181914ed32c483 (git)
Affected: 6e0d6cc39f410a4d9ea774fbb254c68fe02ff4bb , < 9a297a68c3ba4a7ecb31ed52f61bd6634abb79d3 (git)
Affected: 6e0928a8988e873da9946e17f8065ad77c720186 , < e17b13387827adce7acb19ac0f07f9bcafe0ff4c (git)
Affected: 1986bba9597b3d97d3e80530dc457a1cd1994e22 , < 214e81a63a9aa0be42382ef0365ba5ed32c513ab (git)
Affected: 9031626ade38b092b72638dfe0c6ffce8d8acd43 , < fff111bf45cbeeb659324316d68554e35d350092 (git)

Linux

Affected: 6.1.156 , < 6.1.158 (semver)
Affected: 6.6.112 , < 6.6.115 (semver)
Affected: 6.12.53 , < 6.12.56 (semver)
Affected: 6.17.3 , < 6.17.6 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/fastrpc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c2fef5ebb73f3dabae6fbc571d181914ed32c483",
              "status": "affected",
              "version": "ec5cb80503bbfee67573699fe52fcf456fd57678",
              "versionType": "git"
            },
            {
              "lessThan": "9a297a68c3ba4a7ecb31ed52f61bd6634abb79d3",
              "status": "affected",
              "version": "6e0d6cc39f410a4d9ea774fbb254c68fe02ff4bb",
              "versionType": "git"
            },
            {
              "lessThan": "e17b13387827adce7acb19ac0f07f9bcafe0ff4c",
              "status": "affected",
              "version": "6e0928a8988e873da9946e17f8065ad77c720186",
              "versionType": "git"
            },
            {
              "lessThan": "214e81a63a9aa0be42382ef0365ba5ed32c513ab",
              "status": "affected",
              "version": "1986bba9597b3d97d3e80530dc457a1cd1994e22",
              "versionType": "git"
            },
            {
              "lessThan": "fff111bf45cbeeb659324316d68554e35d350092",
              "status": "affected",
              "version": "9031626ade38b092b72638dfe0c6ffce8d8acd43",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/fastrpc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.1.158",
              "status": "affected",
              "version": "6.1.156",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.115",
              "status": "affected",
              "version": "6.6.112",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.56",
              "status": "affected",
              "version": "6.12.53",
              "versionType": "semver"
            },
            {
              "lessThan": "6.17.6",
              "status": "affected",
              "version": "6.17.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "6.1.156",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "6.6.112",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.12.53",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.17.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup\n\nIn fastrpc_map_lookup, dma_buf_get is called to obtain a reference to\nthe dma_buf for comparison purposes. However, this reference is never\nreleased when the function returns, leading to a dma_buf memory leak.\n\nFix this by adding dma_buf_put before returning from the function,\nensuring that the temporarily acquired reference is properly released\nregardless of whether a matching map is found.\n\nRule: add"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T14:32:18.819Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c2fef5ebb73f3dabae6fbc571d181914ed32c483"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a297a68c3ba4a7ecb31ed52f61bd6634abb79d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e17b13387827adce7acb19ac0f07f9bcafe0ff4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/214e81a63a9aa0be42382ef0365ba5ed32c513ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/fff111bf45cbeeb659324316d68554e35d350092"
        }
      ],
      "title": "misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68252",
    "datePublished": "2025-12-16T14:32:18.819Z",
    "dateReserved": "2025-12-16T13:41:40.266Z",
    "dateUpdated": "2025-12-16T14:32:18.819Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-54024 (GCVE-0-2023-54024)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55

Title

KVM: Destroy target device if coalesced MMIO unregistration fails

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: Destroy target device if coalesced MMIO unregistration fails Destroy and free the target coalesced MMIO device if unregistering said device fails. As clearly noted in the code, kvm_io_bus_unregister_dev() does not destroy the target device. BUG: memory leak unreferenced object 0xffff888112a54880 (size 64): comm "syz-executor.2", pid 5258, jiffies 4297861402 (age 14.129s) hex dump (first 32 bytes): 38 c7 67 15 00 c9 ff ff 38 c7 67 15 00 c9 ff ff 8.g.....8.g..... e0 c7 e1 83 ff ff ff ff 00 30 67 15 00 c9 ff ff .........0g..... backtrace: [<0000000006995a8a>] kmalloc include/linux/slab.h:556 [inline] [<0000000006995a8a>] kzalloc include/linux/slab.h:690 [inline] [<0000000006995a8a>] kvm_vm_ioctl_register_coalesced_mmio+0x8e/0x3d0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:150 [<00000000022550c2>] kvm_vm_ioctl+0x47d/0x1600 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3323 [<000000008a75102f>] vfs_ioctl fs/ioctl.c:46 [inline] [<000000008a75102f>] file_ioctl fs/ioctl.c:509 [inline] [<000000008a75102f>] do_vfs_ioctl+0xbab/0x1160 fs/ioctl.c:696 [<0000000080e3f669>] ksys_ioctl+0x76/0xa0 fs/ioctl.c:713 [<0000000059ef4888>] __do_sys_ioctl fs/ioctl.c:720 [inline] [<0000000059ef4888>] __se_sys_ioctl fs/ioctl.c:718 [inline] [<0000000059ef4888>] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718 [<000000006444fa05>] do_syscall_64+0x9f/0x4e0 arch/x86/entry/common.c:290 [<000000009a4ed50b>] entry_SYSCALL_64_after_hwframe+0x49/0xbe BUG: leak checking failed

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/10c2a20d73e99463e…
	https://git.kernel.org/stable/c/76a9886e1b61ce559…
	https://git.kernel.org/stable/c/999439fd5da5a7625…
	https://git.kernel.org/stable/c/ccf6a7fb1aedb1472…
	https://git.kernel.org/stable/c/fb436dd6914325075…
	https://git.kernel.org/stable/c/b1cb1fac22abf102f…

Impacted products

Vendor

Product

Version

Linux

Affected: 7d1bc32d6477ff96a32695ea4be8144e4513ab2d , < 10c2a20d73e99463e69b7e92706791656adc16d7 (git)
Affected: 2a20592baff59c5351c5200ec667e1a2aa22af85 , < 76a9886e1b61ce5592df5ae78a19ed30399ae189 (git)
Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < 999439fd5da5a76253e2f2c37b94204f47d75491 (git)
Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066 (git)
Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < fb436dd6914325075f07d19851ab277b7a693ae7 (git)
Affected: 5d3c4c79384af06e3c8e25b7770b6247496b4417 , < b1cb1fac22abf102ffeb29dd3eeca208a3869d54 (git)
Affected: 168e82f640ed1891a700bdb43e37da354b2ab63c (git)
Affected: 50cbad42bfea8c052b7ca590bd4126cdc898713c (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.4.235 , ≤ 5.4.* (semver)
Unaffected: 5.10.173 , ≤ 5.10.* (semver)
Unaffected: 5.15.99 , ≤ 5.15.* (semver)
Unaffected: 6.1.16 , ≤ 6.1.* (semver)
Unaffected: 6.2.3 , ≤ 6.2.* (semver)
Unaffected: 6.3 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "virt/kvm/coalesced_mmio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "10c2a20d73e99463e69b7e92706791656adc16d7",
              "status": "affected",
              "version": "7d1bc32d6477ff96a32695ea4be8144e4513ab2d",
              "versionType": "git"
            },
            {
              "lessThan": "76a9886e1b61ce5592df5ae78a19ed30399ae189",
              "status": "affected",
              "version": "2a20592baff59c5351c5200ec667e1a2aa22af85",
              "versionType": "git"
            },
            {
              "lessThan": "999439fd5da5a76253e2f2c37b94204f47d75491",
              "status": "affected",
              "version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
              "versionType": "git"
            },
            {
              "lessThan": "ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066",
              "status": "affected",
              "version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
              "versionType": "git"
            },
            {
              "lessThan": "fb436dd6914325075f07d19851ab277b7a693ae7",
              "status": "affected",
              "version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
              "versionType": "git"
            },
            {
              "lessThan": "b1cb1fac22abf102ffeb29dd3eeca208a3869d54",
              "status": "affected",
              "version": "5d3c4c79384af06e3c8e25b7770b6247496b4417",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "168e82f640ed1891a700bdb43e37da354b2ab63c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "50cbad42bfea8c052b7ca590bd4126cdc898713c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "virt/kvm/coalesced_mmio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.173",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.235",
                  "versionStartIncluding": "5.4.119",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.173",
                  "versionStartIncluding": "5.10.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.99",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.16",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.3",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.11.21",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.12.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Destroy target device if coalesced MMIO unregistration fails\n\nDestroy and free the target coalesced MMIO device if unregistering said\ndevice fails.  As clearly noted in the code, kvm_io_bus_unregister_dev()\ndoes not destroy the target device.\n\n  BUG: memory leak\n  unreferenced object 0xffff888112a54880 (size 64):\n    comm \"syz-executor.2\", pid 5258, jiffies 4297861402 (age 14.129s)\n    hex dump (first 32 bytes):\n      38 c7 67 15 00 c9 ff ff 38 c7 67 15 00 c9 ff ff  8.g.....8.g.....\n      e0 c7 e1 83 ff ff ff ff 00 30 67 15 00 c9 ff ff  .........0g.....\n    backtrace:\n      [\u003c0000000006995a8a\u003e] kmalloc include/linux/slab.h:556 [inline]\n      [\u003c0000000006995a8a\u003e] kzalloc include/linux/slab.h:690 [inline]\n      [\u003c0000000006995a8a\u003e] kvm_vm_ioctl_register_coalesced_mmio+0x8e/0x3d0 arch/x86/kvm/../../../virt/kvm/coalesced_mmio.c:150\n      [\u003c00000000022550c2\u003e] kvm_vm_ioctl+0x47d/0x1600 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3323\n      [\u003c000000008a75102f\u003e] vfs_ioctl fs/ioctl.c:46 [inline]\n      [\u003c000000008a75102f\u003e] file_ioctl fs/ioctl.c:509 [inline]\n      [\u003c000000008a75102f\u003e] do_vfs_ioctl+0xbab/0x1160 fs/ioctl.c:696\n      [\u003c0000000080e3f669\u003e] ksys_ioctl+0x76/0xa0 fs/ioctl.c:713\n      [\u003c0000000059ef4888\u003e] __do_sys_ioctl fs/ioctl.c:720 [inline]\n      [\u003c0000000059ef4888\u003e] __se_sys_ioctl fs/ioctl.c:718 [inline]\n      [\u003c0000000059ef4888\u003e] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:718\n      [\u003c000000006444fa05\u003e] do_syscall_64+0x9f/0x4e0 arch/x86/entry/common.c:290\n      [\u003c000000009a4ed50b\u003e] entry_SYSCALL_64_after_hwframe+0x49/0xbe\n\n  BUG: leak checking failed"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:55:53.718Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/10c2a20d73e99463e69b7e92706791656adc16d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/76a9886e1b61ce5592df5ae78a19ed30399ae189"
        },
        {
          "url": "https://git.kernel.org/stable/c/999439fd5da5a76253e2f2c37b94204f47d75491"
        },
        {
          "url": "https://git.kernel.org/stable/c/ccf6a7fb1aedb1472e1241ee55e4d26b68f8d066"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb436dd6914325075f07d19851ab277b7a693ae7"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1cb1fac22abf102ffeb29dd3eeca208a3869d54"
        }
      ],
      "title": "KVM: Destroy target device if coalesced MMIO unregistration fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54024",
    "datePublished": "2025-12-24T10:55:53.718Z",
    "dateReserved": "2025-12-24T10:53:46.179Z",
    "dateUpdated": "2025-12-24T10:55:53.718Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68305 (GCVE-0-2025-68305)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

Bluetooth: hci_sock: Prevent race in socket write iter and sock bind

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind There is a potential race condition between sock bind and socket write iter. bind may free the same cmd via mgmt_pending before write iter sends the cmd, just as syzbot reported in UAF[1]. Here we use hci_dev_lock to synchronize the two, thereby avoiding the UAF mentioned in [1]. [1] syzbot reported: BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 Read of size 8 at addr ffff888077164818 by task syz.0.17/5989 Call Trace: mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195 Allocated by task 5989: mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195 Freed by task 5991: mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fe68510fc99bb4b88…
	https://git.kernel.org/stable/c/e90c05fc5bbea9564…
	https://git.kernel.org/stable/c/69fcb0344bc0dd5b1…
	https://git.kernel.org/stable/c/89bb613511cc21ed5…

Impacted products

Vendor

Product

Version

Linux

Affected: bdd56875c6926d8009914f427df71797693e90d4 , < fe68510fc99bb4b88c9c611f83699749002d515a (git)
Affected: 4e83f2dbb2bf677e614109df24426c4dded472d4 , < e90c05fc5bbea956450a05cc3b36b8fa29cf195e (git)
Affected: 6fe26f694c824b8a4dbf50c635bee1302e3f099c , < 69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7 (git)
Affected: 6fe26f694c824b8a4dbf50c635bee1302e3f099c , < 89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392 (git)
Affected: d7882db79135c829a922daf3571f33ea1e056ae3 (git)

Linux

Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fe68510fc99bb4b88c9c611f83699749002d515a",
              "status": "affected",
              "version": "bdd56875c6926d8009914f427df71797693e90d4",
              "versionType": "git"
            },
            {
              "lessThan": "e90c05fc5bbea956450a05cc3b36b8fa29cf195e",
              "status": "affected",
              "version": "4e83f2dbb2bf677e614109df24426c4dded472d4",
              "versionType": "git"
            },
            {
              "lessThan": "69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7",
              "status": "affected",
              "version": "6fe26f694c824b8a4dbf50c635bee1302e3f099c",
              "versionType": "git"
            },
            {
              "lessThan": "89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392",
              "status": "affected",
              "version": "6fe26f694c824b8a4dbf50c635bee1302e3f099c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d7882db79135c829a922daf3571f33ea1e056ae3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "6.6.94",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "6.12.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.15.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sock: Prevent race in socket write iter and sock bind\n\nThere is a potential race condition between sock bind and socket write\niter. bind may free the same cmd via mgmt_pending before write iter sends\nthe cmd, just as syzbot reported in UAF[1].\n\nHere we use hci_dev_lock to synchronize the two, thereby avoiding the\nUAF mentioned in [1].\n\n[1]\nsyzbot reported:\nBUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316\nRead of size 8 at addr ffff888077164818 by task syz.0.17/5989\nCall Trace:\n mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316\n set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n sock_write_iter+0x279/0x360 net/socket.c:1195\n\nAllocated by task 5989:\n mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296\n set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910\n hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719\n hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839\n sock_sendmsg_nosec net/socket.c:727 [inline]\n __sock_sendmsg+0x21c/0x270 net/socket.c:742\n sock_write_iter+0x279/0x360 net/socket.c:1195\n\nFreed by task 5991:\n mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]\n mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257\n mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477\n hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:22.812Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fe68510fc99bb4b88c9c611f83699749002d515a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e90c05fc5bbea956450a05cc3b36b8fa29cf195e"
        },
        {
          "url": "https://git.kernel.org/stable/c/69fcb0344bc0dd5b13d7e4e98f8b6bf25a6d4ff7"
        },
        {
          "url": "https://git.kernel.org/stable/c/89bb613511cc21ed5ba6bddc1c9b9ae9c0dad392"
        }
      ],
      "title": "Bluetooth: hci_sock: Prevent race in socket write iter and sock bind",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68305",
    "datePublished": "2025-12-16T15:06:22.812Z",
    "dateReserved": "2025-12-16T14:48:05.294Z",
    "dateUpdated": "2025-12-16T15:06:22.812Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40282 (GCVE-0-2025-40282)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51

Title

Bluetooth: 6lowpan: reset link-local header on ipv6 recv path

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: <IRQ> ... packet_rcv (net/packet/af_packet.c:2152) ... <TASK> __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ea46a1d217bc82e01…
	https://git.kernel.org/stable/c/973e0271754c77db3…
	https://git.kernel.org/stable/c/d566e9a2bfc848941…
	https://git.kernel.org/stable/c/4ebb90c3c309e6375…
	https://git.kernel.org/stable/c/c24ac6cfe4f9a4718…
	https://git.kernel.org/stable/c/11cd7e068381666f8…
	https://git.kernel.org/stable/c/70d84e7c3a44b8102…
	https://git.kernel.org/stable/c/3b78f50918276ab28…

Impacted products

Vendor

Product

Version

Linux

Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < ea46a1d217bc82e01cf3d0424e50ebfe251e34bf (git)
Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 973e0271754c77db3e1b6b69adf2de85a79a4c8b (git)
Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < d566e9a2bfc848941b091ffd5f4e12c4e889d818 (git)
Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 4ebb90c3c309e6375dc3e841af92e2a039843e62 (git)
Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < c24ac6cfe4f9a47180a65592c47e7a310d2f9d93 (git)
Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 11cd7e068381666f842ad41d1cc58eecd0c75237 (git)
Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 70d84e7c3a44b81020a3c3d650a64c63593405bd (git)
Affected: 18722c247023035b9e2e2a08a887adec2a9a6e49 , < 3b78f50918276ab28fb22eac9aa49401ac436a3b (git)

Linux

Affected: 3.14
Unaffected: 0 , < 3.14 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/6lowpan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ea46a1d217bc82e01cf3d0424e50ebfe251e34bf",
              "status": "affected",
              "version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
              "versionType": "git"
            },
            {
              "lessThan": "973e0271754c77db3e1b6b69adf2de85a79a4c8b",
              "status": "affected",
              "version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
              "versionType": "git"
            },
            {
              "lessThan": "d566e9a2bfc848941b091ffd5f4e12c4e889d818",
              "status": "affected",
              "version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
              "versionType": "git"
            },
            {
              "lessThan": "4ebb90c3c309e6375dc3e841af92e2a039843e62",
              "status": "affected",
              "version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
              "versionType": "git"
            },
            {
              "lessThan": "c24ac6cfe4f9a47180a65592c47e7a310d2f9d93",
              "status": "affected",
              "version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
              "versionType": "git"
            },
            {
              "lessThan": "11cd7e068381666f842ad41d1cc58eecd0c75237",
              "status": "affected",
              "version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
              "versionType": "git"
            },
            {
              "lessThan": "70d84e7c3a44b81020a3c3d650a64c63593405bd",
              "status": "affected",
              "version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
              "versionType": "git"
            },
            {
              "lessThan": "3b78f50918276ab28fb22eac9aa49401ac436a3b",
              "status": "affected",
              "version": "18722c247023035b9e2e2a08a887adec2a9a6e49",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/6lowpan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.14"
            },
            {
              "lessThan": "3.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: 6lowpan: reset link-local header on ipv6 recv path\n\nBluetooth 6lowpan.c netdev has header_ops, so it must set link-local\nheader for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW\n\nAdd missing skb_reset_mac_header() for uncompressed ipv6 RX path.\n\nFor the compressed one, it is done in lowpan_header_decompress().\n\nLog: (BlueZ 6lowpan-tester Client Recv Raw - Success)\n------\nkernel BUG at net/core/skbuff.c:212!\nCall Trace:\n\u003cIRQ\u003e\n...\npacket_rcv (net/packet/af_packet.c:2152)\n...\n\u003cTASK\u003e\n__local_bh_enable_ip (kernel/softirq.c:407)\nnetif_rx (net/core/dev.c:5648)\nchan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359)\n------"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:51:06.287Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ea46a1d217bc82e01cf3d0424e50ebfe251e34bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/973e0271754c77db3e1b6b69adf2de85a79a4c8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/d566e9a2bfc848941b091ffd5f4e12c4e889d818"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ebb90c3c309e6375dc3e841af92e2a039843e62"
        },
        {
          "url": "https://git.kernel.org/stable/c/c24ac6cfe4f9a47180a65592c47e7a310d2f9d93"
        },
        {
          "url": "https://git.kernel.org/stable/c/11cd7e068381666f842ad41d1cc58eecd0c75237"
        },
        {
          "url": "https://git.kernel.org/stable/c/70d84e7c3a44b81020a3c3d650a64c63593405bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b78f50918276ab28fb22eac9aa49401ac436a3b"
        }
      ],
      "title": "Bluetooth: 6lowpan: reset link-local header on ipv6 recv path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40282",
    "datePublished": "2025-12-06T21:51:06.287Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-06T21:51:06.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39880 (GCVE-0-2025-39880)

Vulnerability from cvelistv5 – Published: 2025-09-23 06:00 – Updated: 2025-11-03 17:44

Title

libceph: fix invalid accesses to ceph_connection_v1_info

Summary

In the Linux kernel, the following vulnerability has been resolved: libceph: fix invalid accesses to ceph_connection_v1_info There is a place where generic code in messenger.c is reading and another place where it is writing to con->v1 union member without checking that the union member is active (i.e. msgr1 is in use). On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter, so such a read is almost guaranteed to return a bogus value instead of 0 when msgr2 is in use. This ends up being fairly benign because the side effect is just the invalidation of the authorizer and successive fetching of new tickets. con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that it's being written to can cause more serious consequences, but luckily it's not something that happens often.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ea12ab684f8ae8a6d…
	https://git.kernel.org/stable/c/591ea9c30737663a4…
	https://git.kernel.org/stable/c/23538cfbeed87159a…
	https://git.kernel.org/stable/c/35dbbc3dbf8bccb2d…
	https://git.kernel.org/stable/c/6bd8b56899be0b514…
	https://git.kernel.org/stable/c/cdbc9836c7afadad6…

Impacted products

Vendor

Product

Version

Linux

Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < ea12ab684f8ae8a6da11a22c78d94a79e2163096 (git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 591ea9c30737663a471b2bb07b27ddde86b020d5 (git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 23538cfbeed87159a5ac6c61e7a6de3d8d4486a8 (git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983 (git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < 6bd8b56899be0b514945f639a89ccafb8f8dfaef (git)
Affected: cd1a677cad994021b19665ed476aea63f5d54f31 , < cdbc9836c7afadad68f374791738f118263c5371 (git)

Linux

Affected: 5.11
Unaffected: 0 , < 5.11 (semver)
Unaffected: 5.15.194 , ≤ 5.15.* (semver)
Unaffected: 6.1.153 , ≤ 6.1.* (semver)
Unaffected: 6.6.107 , ≤ 6.6.* (semver)
Unaffected: 6.12.48 , ≤ 6.12.* (semver)
Unaffected: 6.16.8 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:44:22.996Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/messenger.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ea12ab684f8ae8a6da11a22c78d94a79e2163096",
              "status": "affected",
              "version": "cd1a677cad994021b19665ed476aea63f5d54f31",
              "versionType": "git"
            },
            {
              "lessThan": "591ea9c30737663a471b2bb07b27ddde86b020d5",
              "status": "affected",
              "version": "cd1a677cad994021b19665ed476aea63f5d54f31",
              "versionType": "git"
            },
            {
              "lessThan": "23538cfbeed87159a5ac6c61e7a6de3d8d4486a8",
              "status": "affected",
              "version": "cd1a677cad994021b19665ed476aea63f5d54f31",
              "versionType": "git"
            },
            {
              "lessThan": "35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983",
              "status": "affected",
              "version": "cd1a677cad994021b19665ed476aea63f5d54f31",
              "versionType": "git"
            },
            {
              "lessThan": "6bd8b56899be0b514945f639a89ccafb8f8dfaef",
              "status": "affected",
              "version": "cd1a677cad994021b19665ed476aea63f5d54f31",
              "versionType": "git"
            },
            {
              "lessThan": "cdbc9836c7afadad68f374791738f118263c5371",
              "status": "affected",
              "version": "cd1a677cad994021b19665ed476aea63f5d54f31",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/messenger.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.194",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.107",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.48",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.194",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.153",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.107",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.48",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.8",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix invalid accesses to ceph_connection_v1_info\n\nThere is a place where generic code in messenger.c is reading and\nanother place where it is writing to con-\u003ev1 union member without\nchecking that the union member is active (i.e. msgr1 is in use).\n\nOn 64-bit systems, con-\u003ev1.auth_retry overlaps with con-\u003ev2.out_iter,\nso such a read is almost guaranteed to return a bogus value instead of\n0 when msgr2 is in use.  This ends up being fairly benign because the\nside effect is just the invalidation of the authorizer and successive\nfetching of new tickets.\n\ncon-\u003ev1.connect_seq overlaps with con-\u003ev2.conn_bufs and the fact that\nit\u0027s being written to can cause more serious consequences, but luckily\nit\u0027s not something that happens often."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-02T13:26:21.835Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ea12ab684f8ae8a6da11a22c78d94a79e2163096"
        },
        {
          "url": "https://git.kernel.org/stable/c/591ea9c30737663a471b2bb07b27ddde86b020d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/23538cfbeed87159a5ac6c61e7a6de3d8d4486a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/35dbbc3dbf8bccb2d77c68444f42c1e6d2d27983"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bd8b56899be0b514945f639a89ccafb8f8dfaef"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdbc9836c7afadad68f374791738f118263c5371"
        }
      ],
      "title": "libceph: fix invalid accesses to ceph_connection_v1_info",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39880",
    "datePublished": "2025-09-23T06:00:49.897Z",
    "dateReserved": "2025-04-16T07:20:57.144Z",
    "dateUpdated": "2025-11-03T17:44:22.996Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68290 (GCVE-0-2025-68290)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

most: usb: fix double free on late probe failure

Summary

In the Linux kernel, the following vulnerability has been resolved: most: usb: fix double free on late probe failure The MOST subsystem has a non-standard registration function which frees the interface on registration failures and on deregistration. This unsurprisingly leads to bugs in the MOST drivers, and a couple of recent changes turned a reference underflow and use-after-free in the USB driver into several double free and a use-after-free on late probe failures.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/90e6ce2b1b19fb8b9…
	https://git.kernel.org/stable/c/a4c4118c2af284835…
	https://git.kernel.org/stable/c/0dece48660be16918…
	https://git.kernel.org/stable/c/993bfdc3842893c39…
	https://git.kernel.org/stable/c/2274767dc02b756b2…
	https://git.kernel.org/stable/c/8d8ffefe3d5d8b7b7…
	https://git.kernel.org/stable/c/baadf2a5c26e802a4…

Impacted products

Vendor

Product

Version

Linux

Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154 (git)
Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < a4c4118c2af284835b16431bbfe77e0130c06fef (git)
Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 0dece48660be16918ecf2dbdc7193e8be03e1693 (git)
Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 993bfdc3842893c394de13c8200c338ebb979589 (git)
Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 2274767dc02b756b25e3db1e31c0ed47c2a78442 (git)
Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < 8d8ffefe3d5d8b7b73efb866db61130107299c5c (git)
Affected: 723de0f9171eeb49a3ae98cae82ebbbb992b3a7c , < baadf2a5c26e802a46573eaad331b427b49aaa36 (git)

Linux

Affected: 5.6
Unaffected: 0 , < 5.6 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/most/most_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154",
              "status": "affected",
              "version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
              "versionType": "git"
            },
            {
              "lessThan": "a4c4118c2af284835b16431bbfe77e0130c06fef",
              "status": "affected",
              "version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
              "versionType": "git"
            },
            {
              "lessThan": "0dece48660be16918ecf2dbdc7193e8be03e1693",
              "status": "affected",
              "version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
              "versionType": "git"
            },
            {
              "lessThan": "993bfdc3842893c394de13c8200c338ebb979589",
              "status": "affected",
              "version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
              "versionType": "git"
            },
            {
              "lessThan": "2274767dc02b756b25e3db1e31c0ed47c2a78442",
              "status": "affected",
              "version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
              "versionType": "git"
            },
            {
              "lessThan": "8d8ffefe3d5d8b7b73efb866db61130107299c5c",
              "status": "affected",
              "version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
              "versionType": "git"
            },
            {
              "lessThan": "baadf2a5c26e802a46573eaad331b427b49aaa36",
              "status": "affected",
              "version": "723de0f9171eeb49a3ae98cae82ebbbb992b3a7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/most/most_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: fix double free on late probe failure\n\nThe MOST subsystem has a non-standard registration function which frees\nthe interface on registration failures and on deregistration.\n\nThis unsurprisingly leads to bugs in the MOST drivers, and a couple of\nrecent changes turned a reference underflow and use-after-free in the\nUSB driver into several double free and a use-after-free on late probe\nfailures."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:11.202Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/90e6ce2b1b19fb8b9d4afee69f40e4c6a4791154"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4c4118c2af284835b16431bbfe77e0130c06fef"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dece48660be16918ecf2dbdc7193e8be03e1693"
        },
        {
          "url": "https://git.kernel.org/stable/c/993bfdc3842893c394de13c8200c338ebb979589"
        },
        {
          "url": "https://git.kernel.org/stable/c/2274767dc02b756b25e3db1e31c0ed47c2a78442"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d8ffefe3d5d8b7b73efb866db61130107299c5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/baadf2a5c26e802a46573eaad331b427b49aaa36"
        }
      ],
      "title": "most: usb: fix double free on late probe failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68290",
    "datePublished": "2025-12-16T15:06:11.202Z",
    "dateReserved": "2025-12-16T14:48:05.292Z",
    "dateUpdated": "2025-12-16T15:06:11.202Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68293 (GCVE-0-2025-68293)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

mm/huge_memory: fix NULL pointer deference when splitting folio

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix NULL pointer deference when splitting folio Commit c010d47f107f ("mm: thp: split huge page to any lower order pages") introduced an early check on the folio's order via mapping->flags before proceeding with the split work. This check introduced a bug: for shmem folios in the swap cache and truncated folios, the mapping pointer can be NULL. Accessing mapping->flags in this state leads directly to a NULL pointer dereference. This commit fixes the issue by moving the check for mapping != NULL before any attempt to access mapping->flags.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/592db83615a9f0164…
	https://git.kernel.org/stable/c/d1b83fbacd4397a1d…
	https://git.kernel.org/stable/c/cff47b9e39a6abf03…

Impacted products

Vendor

Product

Version

Linux

Affected: c010d47f107f609b9f4d6a103b6dfc53889049e9 , < 592db83615a9f0164472ec789c2ed34ad35f732f (git)
Affected: c010d47f107f609b9f4d6a103b6dfc53889049e9 , < d1b83fbacd4397a1d2f8c6b13427a8636ae2b307 (git)
Affected: c010d47f107f609b9f4d6a103b6dfc53889049e9 , < cff47b9e39a6abf03dde5f4f156f841b0c54bba0 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/huge_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "592db83615a9f0164472ec789c2ed34ad35f732f",
              "status": "affected",
              "version": "c010d47f107f609b9f4d6a103b6dfc53889049e9",
              "versionType": "git"
            },
            {
              "lessThan": "d1b83fbacd4397a1d2f8c6b13427a8636ae2b307",
              "status": "affected",
              "version": "c010d47f107f609b9f4d6a103b6dfc53889049e9",
              "versionType": "git"
            },
            {
              "lessThan": "cff47b9e39a6abf03dde5f4f156f841b0c54bba0",
              "status": "affected",
              "version": "c010d47f107f609b9f4d6a103b6dfc53889049e9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/huge_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix NULL pointer deference when splitting folio\n\nCommit c010d47f107f (\"mm: thp: split huge page to any lower order pages\")\nintroduced an early check on the folio\u0027s order via mapping-\u003eflags before\nproceeding with the split work.\n\nThis check introduced a bug: for shmem folios in the swap cache and\ntruncated folios, the mapping pointer can be NULL.  Accessing\nmapping-\u003eflags in this state leads directly to a NULL pointer dereference.\n\nThis commit fixes the issue by moving the check for mapping != NULL before\nany attempt to access mapping-\u003eflags."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:13.428Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/592db83615a9f0164472ec789c2ed34ad35f732f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1b83fbacd4397a1d2f8c6b13427a8636ae2b307"
        },
        {
          "url": "https://git.kernel.org/stable/c/cff47b9e39a6abf03dde5f4f156f841b0c54bba0"
        }
      ],
      "title": "mm/huge_memory: fix NULL pointer deference when splitting folio",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68293",
    "datePublished": "2025-12-16T15:06:13.428Z",
    "dateReserved": "2025-12-16T14:48:05.292Z",
    "dateUpdated": "2025-12-16T15:06:13.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68284 (GCVE-0-2025-68284)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-02 15:34

Title

libceph: prevent potential out-of-bounds writes in handle_auth_session_key()

Summary

In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() The len field originates from untrusted network packets. Boundary checks have been added to prevent potential out-of-bounds writes when decrypting the connection secret or processing service tickets. [ idryomov: changelog ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f22c55a20a2d9ffbb…
	https://git.kernel.org/stable/c/8dfcc56af28cffb8f…
	https://git.kernel.org/stable/c/ccbccfba25e9aa395…
	https://git.kernel.org/stable/c/5ef575834ca99f719…
	https://git.kernel.org/stable/c/6920ff09bf911bc91…
	https://git.kernel.org/stable/c/7fce830ecd0a02565…

Impacted products

Vendor

Product

Version

Linux

Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < f22c55a20a2d9ffbbac57408d5d488cef8201e9d (git)
Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09 (git)
Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < ccbccfba25e9aa395daaea156b5e7790910054c4 (git)
Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 5ef575834ca99f719d7573cdece9df2fe2b72424 (git)
Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 6920ff09bf911bc919cd7a6b7176fbdd1a6e6850 (git)
Affected: 285ea34fc876aa0a2c5e65d310c4a41269e2e5f2 , < 7fce830ecd0a0256590ee37eb65a39cbad3d64fc (git)

Linux

Affected: 5.11
Unaffected: 0 , < 5.11 (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/auth_x.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f22c55a20a2d9ffbbac57408d5d488cef8201e9d",
              "status": "affected",
              "version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
              "versionType": "git"
            },
            {
              "lessThan": "8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09",
              "status": "affected",
              "version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
              "versionType": "git"
            },
            {
              "lessThan": "ccbccfba25e9aa395daaea156b5e7790910054c4",
              "status": "affected",
              "version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
              "versionType": "git"
            },
            {
              "lessThan": "5ef575834ca99f719d7573cdece9df2fe2b72424",
              "status": "affected",
              "version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
              "versionType": "git"
            },
            {
              "lessThan": "6920ff09bf911bc919cd7a6b7176fbdd1a6e6850",
              "status": "affected",
              "version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
              "versionType": "git"
            },
            {
              "lessThan": "7fce830ecd0a0256590ee37eb65a39cbad3d64fc",
              "status": "affected",
              "version": "285ea34fc876aa0a2c5e65d310c4a41269e2e5f2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/auth_x.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds writes in handle_auth_session_key()\n\nThe len field originates from untrusted network packets. Boundary\nchecks have been added to prevent potential out-of-bounds writes when\ndecrypting the connection secret or processing service tickets.\n\n[ idryomov: changelog ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:48.915Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f22c55a20a2d9ffbbac57408d5d488cef8201e9d"
        },
        {
          "url": "https://git.kernel.org/stable/c/8dfcc56af28cffb8f25fb9be37b3acc61f2a3d09"
        },
        {
          "url": "https://git.kernel.org/stable/c/ccbccfba25e9aa395daaea156b5e7790910054c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ef575834ca99f719d7573cdece9df2fe2b72424"
        },
        {
          "url": "https://git.kernel.org/stable/c/6920ff09bf911bc919cd7a6b7176fbdd1a6e6850"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fce830ecd0a0256590ee37eb65a39cbad3d64fc"
        }
      ],
      "title": "libceph: prevent potential out-of-bounds writes in handle_auth_session_key()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68284",
    "datePublished": "2025-12-16T15:06:06.235Z",
    "dateReserved": "2025-12-16T14:48:05.292Z",
    "dateUpdated": "2026-01-02T15:34:48.915Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49288 (GCVE-0-2022-49288)

Vulnerability from cvelistv5 – Published: 2025-02-26 01:56 – Updated: 2025-12-23 13:23

Title

ALSA: pcm: Fix races among concurrent prealloc proc writes

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix races among concurrent prealloc proc writes We have no protection against concurrent PCM buffer preallocation changes via proc files, and it may potentially lead to UAF or some weird problem. This patch applies the PCM open_mutex to the proc write operation for avoiding the racy proc writes and the PCM stream open (and further operations).

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e7786c445bb67a9a6…
	https://git.kernel.org/stable/c/e14dca613e0a6ddc2…
	https://git.kernel.org/stable/c/37b12c16beb6f6c1c…
	https://git.kernel.org/stable/c/b560d670c87d7d40b…
	https://git.kernel.org/stable/c/51fce708ab8986a98…
	https://git.kernel.org/stable/c/a21d2f323b5a978de…
	https://git.kernel.org/stable/c/5ed8f8e3c4e59d039…
	https://git.kernel.org/stable/c/69534c48ba8ce552c…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e7786c445bb67a9a6e64f66ebd6b7215b153ff7d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e14dca613e0a6ddc2bf6e360f16936a9f865205b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 37b12c16beb6f6c1c3c678c1aacbc46525c250f7 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b560d670c87d7d40b3cf6949246fa4c7aa65a00a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 51fce708ab8986a9879ee5da946a2cc120f1036d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a21d2f323b5a978dedf9ff1d50f101f85e39b3f2 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5ed8f8e3c4e59d0396b9ccf2e639711e24295bb6 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 69534c48ba8ce552ce383b3dfdb271ffe51820c3 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 4.14.279 , ≤ 4.14.* (semver)
Unaffected: 4.19.243 , ≤ 4.19.* (semver)
Unaffected: 5.4.193 , ≤ 5.4.* (semver)
Unaffected: 5.10.109 , ≤ 5.10.* (semver)
Unaffected: 5.15.32 , ≤ 5.15.* (semver)
Unaffected: 5.16.18 , ≤ 5.16.* (semver)
Unaffected: 5.17.1 , ≤ 5.17.* (semver)
Unaffected: 5.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-49288",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:58:50.352103Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:29.155Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/core/pcm_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e7786c445bb67a9a6e64f66ebd6b7215b153ff7d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e14dca613e0a6ddc2bf6e360f16936a9f865205b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "37b12c16beb6f6c1c3c678c1aacbc46525c250f7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b560d670c87d7d40b3cf6949246fa4c7aa65a00a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "51fce708ab8986a9879ee5da946a2cc120f1036d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a21d2f323b5a978dedf9ff1d50f101f85e39b3f2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5ed8f8e3c4e59d0396b9ccf2e639711e24295bb6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "69534c48ba8ce552ce383b3dfdb271ffe51820c3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/core/pcm_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.279",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.243",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.193",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.109",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.279",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.243",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.193",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.109",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.32",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: Fix races among concurrent prealloc proc writes\n\nWe have no protection against concurrent PCM buffer preallocation\nchanges via proc files, and it may potentially lead to UAF or some\nweird problem.  This patch applies the PCM open_mutex to the proc\nwrite operation for avoiding the racy proc writes and the PCM stream\nopen (and further operations)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:23:03.986Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e7786c445bb67a9a6e64f66ebd6b7215b153ff7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e14dca613e0a6ddc2bf6e360f16936a9f865205b"
        },
        {
          "url": "https://git.kernel.org/stable/c/37b12c16beb6f6c1c3c678c1aacbc46525c250f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/b560d670c87d7d40b3cf6949246fa4c7aa65a00a"
        },
        {
          "url": "https://git.kernel.org/stable/c/51fce708ab8986a9879ee5da946a2cc120f1036d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a21d2f323b5a978dedf9ff1d50f101f85e39b3f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ed8f8e3c4e59d0396b9ccf2e639711e24295bb6"
        },
        {
          "url": "https://git.kernel.org/stable/c/69534c48ba8ce552ce383b3dfdb271ffe51820c3"
        }
      ],
      "title": "ALSA: pcm: Fix races among concurrent prealloc proc writes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49288",
    "datePublished": "2025-02-26T01:56:26.550Z",
    "dateReserved": "2025-02-26T01:49:39.302Z",
    "dateUpdated": "2025-12-23T13:23:03.986Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68343 (GCVE-0-2025-68343)

Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58

Title

can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header

Summary

In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header The driver expects to receive a struct gs_host_frame in gs_usb_receive_bulk_callback(). Use struct_group to describe the header of the struct gs_host_frame and check that we have at least received the header before accessing any members of it. To resubmit the URB, do not dereference the pointer chain "dev->parent->hf_size_rx" but use "parent->hf_size_rx" instead. Since "urb->context" contains "parent", it is always defined, while "dev" is not defined if the URB it too short.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/18cbce43363c9f84b…
	https://git.kernel.org/stable/c/3433680b759646efc…
	https://git.kernel.org/stable/c/616eee3e895b8ca00…
	https://git.kernel.org/stable/c/f31693dc3a584c0ad…
	https://git.kernel.org/stable/c/6fe9f3279f7d25184…

Impacted products

Vendor

Product

Version

Linux

Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 18cbce43363c9f84b90a92d57df341155eee0697 (git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 3433680b759646efcacc64fe36aa2e51ae34b8f0 (git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 616eee3e895b8ca0028163fcb1dce5e3e9dea322 (git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < f31693dc3a584c0ad3937e857b59dbc1a7ed2b87 (git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 6fe9f3279f7d2518439a7962c5870c6e9ecbadcf (git)

Linux

Affected: 3.16
Unaffected: 0 , < 3.16 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/gs_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "18cbce43363c9f84b90a92d57df341155eee0697",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            },
            {
              "lessThan": "3433680b759646efcacc64fe36aa2e51ae34b8f0",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            },
            {
              "lessThan": "616eee3e895b8ca0028163fcb1dce5e3e9dea322",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            },
            {
              "lessThan": "f31693dc3a584c0ad3937e857b59dbc1a7ed2b87",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            },
            {
              "lessThan": "6fe9f3279f7d2518439a7962c5870c6e9ecbadcf",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/gs_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header\n\nThe driver expects to receive a struct gs_host_frame in\ngs_usb_receive_bulk_callback().\n\nUse struct_group to describe the header of the struct gs_host_frame and\ncheck that we have at least received the header before accessing any\nmembers of it.\n\nTo resubmit the URB, do not dereference the pointer chain\n\"dev-\u003eparent-\u003ehf_size_rx\" but use \"parent-\u003ehf_size_rx\" instead. Since\n\"urb-\u003econtext\" contains \"parent\", it is always defined, while \"dev\" is not\ndefined if the URB it too short."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:58:28.411Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/18cbce43363c9f84b90a92d57df341155eee0697"
        },
        {
          "url": "https://git.kernel.org/stable/c/3433680b759646efcacc64fe36aa2e51ae34b8f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/616eee3e895b8ca0028163fcb1dce5e3e9dea322"
        },
        {
          "url": "https://git.kernel.org/stable/c/f31693dc3a584c0ad3937e857b59dbc1a7ed2b87"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fe9f3279f7d2518439a7962c5870c6e9ecbadcf"
        }
      ],
      "title": "can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing header",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68343",
    "datePublished": "2025-12-23T13:58:28.411Z",
    "dateReserved": "2025-12-16T14:48:05.298Z",
    "dateUpdated": "2025-12-23T13:58:28.411Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68380 (GCVE-0-2025-68380)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-11 16:30

Title

wifi: ath11k: fix peer HE MCS assignment

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix peer HE MCS assignment In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition. While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field. Ext Tag: HE Capabilities [...] Supported HE-MCS and NSS Set [...] Rx and Tx MCS Maps 160 MHz [...] Tx HE-MCS Map 160 MHz: 0xffff Swap the assignment to fix this issue. As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer's receive MCS. Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/92791290e4f6a1de2…
	https://git.kernel.org/stable/c/4304bd7a334e981f1…
	https://git.kernel.org/stable/c/097c870b91817779e…
	https://git.kernel.org/stable/c/381096a417b701989…
	https://git.kernel.org/stable/c/6b1a0da75932353f6…
	https://git.kernel.org/stable/c/4a013ca2d490c73c4…

Impacted products

Vendor

Product

Version

Linux

Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 92791290e4f6a1de25d35af792ab8918a70737f6 (git)
Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 4304bd7a334e981f189b9973056a58f84cc2b482 (git)
Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 097c870b91817779e5a312c6539099a884b1fe2b (git)
Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 381096a417b7019896e93e86f4c585c592bf98e2 (git)
Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 6b1a0da75932353f66e710976ca85a7131f647ff (git)
Affected: 61fe43e7216df6e9a912d831aafc7142fa20f280 , < 4a013ca2d490c73c40588d62712ffaa432046a04 (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/mac.c",
            "drivers/net/wireless/ath/ath11k/wmi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "92791290e4f6a1de25d35af792ab8918a70737f6",
              "status": "affected",
              "version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
              "versionType": "git"
            },
            {
              "lessThan": "4304bd7a334e981f189b9973056a58f84cc2b482",
              "status": "affected",
              "version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
              "versionType": "git"
            },
            {
              "lessThan": "097c870b91817779e5a312c6539099a884b1fe2b",
              "status": "affected",
              "version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
              "versionType": "git"
            },
            {
              "lessThan": "381096a417b7019896e93e86f4c585c592bf98e2",
              "status": "affected",
              "version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
              "versionType": "git"
            },
            {
              "lessThan": "6b1a0da75932353f66e710976ca85a7131f647ff",
              "status": "affected",
              "version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
              "versionType": "git"
            },
            {
              "lessThan": "4a013ca2d490c73c40588d62712ffaa432046a04",
              "status": "affected",
              "version": "61fe43e7216df6e9a912d831aafc7142fa20f280",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/mac.c",
            "drivers/net/wireless/ath/ath11k/wmi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: fix peer HE MCS assignment\n\nIn ath11k_wmi_send_peer_assoc_cmd(), peer\u0027s transmit MCS is sent to\nfirmware as receive MCS while peer\u0027s receive MCS sent as transmit MCS,\nwhich goes against firmwire\u0027s definition.\n\nWhile connecting to a misbehaved AP that advertises 0xffff (meaning not\nsupported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff\nis assigned to he_mcs-\u003erx_mcs_set field.\n\n\tExt Tag: HE Capabilities\n\t    [...]\n\t    Supported HE-MCS and NSS Set\n\t\t[...]\n\t        Rx and Tx MCS Maps 160 MHz\n\t\t    [...]\n\t            Tx HE-MCS Map 160 MHz: 0xffff\n\nSwap the assignment to fix this issue.\n\nAs the HE rate control mask is meant to limit our own transmit MCS, it\nneeds to go via he_mcs-\u003erx_mcs_set field. With the aforementioned swapping\ndone, change is needed as well to apply it to the peer\u0027s receive MCS.\n\nTested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41\nTested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:30:11.081Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/92791290e4f6a1de25d35af792ab8918a70737f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4304bd7a334e981f189b9973056a58f84cc2b482"
        },
        {
          "url": "https://git.kernel.org/stable/c/097c870b91817779e5a312c6539099a884b1fe2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/381096a417b7019896e93e86f4c585c592bf98e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b1a0da75932353f66e710976ca85a7131f647ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a013ca2d490c73c40588d62712ffaa432046a04"
        }
      ],
      "title": "wifi: ath11k: fix peer HE MCS assignment",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68380",
    "datePublished": "2025-12-24T10:33:08.266Z",
    "dateReserved": "2025-12-16T14:48:05.311Z",
    "dateUpdated": "2026-01-11T16:30:11.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50700 (GCVE-0-2022-50700)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03

Title

wifi: ath10k: Delay the unmapping of the buffer

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: Delay the unmapping of the buffer On WCN3990, we are seeing a rare scenario where copy engine hardware is sending a copy complete interrupt to the host driver while still processing the buffer that the driver has sent, this is leading into an SMMU fault triggering kernel panic. This is happening on copy engine channel 3 (CE3) where the driver normally enqueues WMI commands to the firmware. Upon receiving a copy complete interrupt, host driver will immediately unmap and frees the buffer presuming that hardware has processed the buffer. In the issue case, upon receiving copy complete interrupt, host driver will unmap and free the buffer but since hardware is still accessing the buffer (which in this case got unmapped in parallel), SMMU hardware will trigger an SMMU fault resulting in a kernel panic. In order to avoid this, as a work around, add a delay before unmapping the copy engine source DMA buffer. This is conditionally done for WCN3990 and only for the CE3 channel where issue is seen. Below is the crash signature: wifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled context fault: fsr=0x402, iova=0x7fdfd8ac0, fsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled context fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003, cbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error received: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091: cmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149 remoteproc remoteproc0: crash detected in 4080000.remoteproc: type fatal error <3> remoteproc remoteproc0: handling crash #1 in 4080000.remoteproc pc : __arm_lpae_unmap+0x500/0x514 lr : __arm_lpae_unmap+0x4bc/0x514 sp : ffffffc011ffb530 x29: ffffffc011ffb590 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000004 x25: 0000000000000003 x24: ffffffc011ffb890 x23: ffffffa762ef9be0 x22: ffffffa77244ef00 x21: 0000000000000009 x20: 00000007fff7c000 x19: 0000000000000003 x18: 0000000000000000 x17: 0000000000000004 x16: ffffffd7a357d9f0 x15: 0000000000000000 x14: 00fd5d4fa7ffffff x13: 000000000000000e x12: 0000000000000000 x11: 00000000ffffffff x10: 00000000fffffe00 x9 : 000000000000017c x8 : 000000000000000c x7 : 0000000000000000 x6 : ffffffa762ef9000 x5 : 0000000000000003 x4 : 0000000000000004 x3 : 0000000000001000 x2 : 00000007fff7c000 x1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace: __arm_lpae_unmap+0x500/0x514 __arm_lpae_unmap+0x4bc/0x514 __arm_lpae_unmap+0x4bc/0x514 arm_lpae_unmap_pages+0x78/0xa4 arm_smmu_unmap_pages+0x78/0x104 __iommu_unmap+0xc8/0x1e4 iommu_unmap_fast+0x38/0x48 __iommu_dma_unmap+0x84/0x104 iommu_dma_free+0x34/0x50 dma_free_attrs+0xa4/0xd0 ath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c [ath10k_core] ath10k_halt+0x11c/0x180 [ath10k_core] ath10k_stop+0x54/0x94 [ath10k_core] drv_stop+0x48/0x1c8 [mac80211] ieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c [mac80211] __dev_open+0xb4/0x174 __dev_change_flags+0xc4/0x1dc dev_change_flags+0x3c/0x7c devinet_ioctl+0x2b4/0x580 inet_ioctl+0xb0/0x1b4 sock_do_ioctl+0x4c/0x16c compat_ifreq_ioctl+0x1cc/0x35c compat_sock_ioctl+0x110/0x2ac __arm64_compat_sys_ioctl+0xf4/0x3e0 el0_svc_common+0xb4/0x17c el0_svc_compat_handler+0x2c/0x58 el0_svc_compat+0x8/0x2c Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c4bedc3cda09d896c…
	https://git.kernel.org/stable/c/79a124b588aadb5a2…
	https://git.kernel.org/stable/c/acd4324e5f1f11351…

Impacted products

Vendor

Product

Version

Linux

Affected: d390509bdf501c9c8c6e61248e4bc9314c86d854 , < c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a (git)
Affected: d390509bdf501c9c8c6e61248e4bc9314c86d854 , < 79a124b588aadb5a22695542778de14366ff3219 (git)
Affected: d390509bdf501c9c8c6e61248e4bc9314c86d854 , < acd4324e5f1f11351630234297f95076f0ac9a2f (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath10k/core.c",
            "drivers/net/wireless/ath/ath10k/htc.c",
            "drivers/net/wireless/ath/ath10k/hw.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a",
              "status": "affected",
              "version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
              "versionType": "git"
            },
            {
              "lessThan": "79a124b588aadb5a22695542778de14366ff3219",
              "status": "affected",
              "version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
              "versionType": "git"
            },
            {
              "lessThan": "acd4324e5f1f11351630234297f95076f0ac9a2f",
              "status": "affected",
              "version": "d390509bdf501c9c8c6e61248e4bc9314c86d854",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath10k/core.c",
            "drivers/net/wireless/ath/ath10k/htc.c",
            "drivers/net/wireless/ath/ath10k/hw.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: Delay the unmapping of the buffer\n\nOn WCN3990, we are seeing a rare scenario where copy engine hardware is\nsending a copy complete interrupt to the host driver while still\nprocessing the buffer that the driver has sent, this is leading into an\nSMMU fault triggering kernel panic. This is happening on copy engine\nchannel 3 (CE3) where the driver normally enqueues WMI commands to the\nfirmware. Upon receiving a copy complete interrupt, host driver will\nimmediately unmap and frees the buffer presuming that hardware has\nprocessed the buffer. In the issue case, upon receiving copy complete\ninterrupt, host driver will unmap and free the buffer but since hardware\nis still accessing the buffer (which in this case got unmapped in\nparallel), SMMU hardware will trigger an SMMU fault resulting in a\nkernel panic.\n\nIn order to avoid this, as a work around, add a delay before unmapping\nthe copy engine source DMA buffer. This is conditionally done for\nWCN3990 and only for the CE3 channel where issue is seen.\n\nBelow is the crash signature:\n\nwifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled\ncontext fault: fsr=0x402, iova=0x7fdfd8ac0,\nfsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled\ncontext fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003,\ncbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error\nreceived: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091:\ncmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149\nremoteproc remoteproc0: crash detected in\n4080000.remoteproc: type fatal error \u003c3\u003e remoteproc remoteproc0:\nhandling crash #1 in 4080000.remoteproc\n\npc : __arm_lpae_unmap+0x500/0x514\nlr : __arm_lpae_unmap+0x4bc/0x514\nsp : ffffffc011ffb530\nx29: ffffffc011ffb590 x28: 0000000000000000\nx27: 0000000000000000 x26: 0000000000000004\nx25: 0000000000000003 x24: ffffffc011ffb890\nx23: ffffffa762ef9be0 x22: ffffffa77244ef00\nx21: 0000000000000009 x20: 00000007fff7c000\nx19: 0000000000000003 x18: 0000000000000000\nx17: 0000000000000004 x16: ffffffd7a357d9f0\nx15: 0000000000000000 x14: 00fd5d4fa7ffffff\nx13: 000000000000000e x12: 0000000000000000\nx11: 00000000ffffffff x10: 00000000fffffe00\nx9 : 000000000000017c x8 : 000000000000000c\nx7 : 0000000000000000 x6 : ffffffa762ef9000\nx5 : 0000000000000003 x4 : 0000000000000004\nx3 : 0000000000001000 x2 : 00000007fff7c000\nx1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace:\n__arm_lpae_unmap+0x500/0x514\n__arm_lpae_unmap+0x4bc/0x514\n__arm_lpae_unmap+0x4bc/0x514\narm_lpae_unmap_pages+0x78/0xa4\narm_smmu_unmap_pages+0x78/0x104\n__iommu_unmap+0xc8/0x1e4\niommu_unmap_fast+0x38/0x48\n__iommu_dma_unmap+0x84/0x104\niommu_dma_free+0x34/0x50\ndma_free_attrs+0xa4/0xd0\nath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c\n[ath10k_core]\nath10k_halt+0x11c/0x180 [ath10k_core]\nath10k_stop+0x54/0x94 [ath10k_core]\ndrv_stop+0x48/0x1c8 [mac80211]\nieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c\n[mac80211]\n__dev_open+0xb4/0x174\n__dev_change_flags+0xc4/0x1dc\ndev_change_flags+0x3c/0x7c\ndevinet_ioctl+0x2b4/0x580\ninet_ioctl+0xb0/0x1b4\nsock_do_ioctl+0x4c/0x16c\ncompat_ifreq_ioctl+0x1cc/0x35c\ncompat_sock_ioctl+0x110/0x2ac\n__arm64_compat_sys_ioctl+0xf4/0x3e0\nel0_svc_common+0xb4/0x17c\nel0_svc_compat_handler+0x2c/0x58\nel0_svc_compat+0x8/0x2c\n\nTested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:03:55.414Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c4bedc3cda09d896c92adcdb6b62aa93b0c47a8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/79a124b588aadb5a22695542778de14366ff3219"
        },
        {
          "url": "https://git.kernel.org/stable/c/acd4324e5f1f11351630234297f95076f0ac9a2f"
        }
      ],
      "title": "wifi: ath10k: Delay the unmapping of the buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50700",
    "datePublished": "2025-12-24T10:55:16.257Z",
    "dateReserved": "2025-12-24T10:53:15.517Z",
    "dateUpdated": "2026-01-02T15:03:55.414Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40318 (GCVE-0-2025-40318)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and "UAF". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0a94f7e017438935c…
	https://git.kernel.org/stable/c/932c0a4f77ac13e52…
	https://git.kernel.org/stable/c/ae76cf6c2c842944c…
	https://git.kernel.org/stable/c/9cd536970192b7225…
	https://git.kernel.org/stable/c/09b0cd1297b4dbfe7…

Impacted products

Vendor

Product

Version

Linux

Affected: f00f36db76eb8fd10d13e80e2590f23b5beaa54d , < 0a94f7e017438935c09ef833a1aa908ad9875213 (git)
Affected: 1499f79995c7ee58e3bfeeff75f6d1b37dcda881 , < 932c0a4f77ac13e526fdd5b42914d29c9821d389 (git)
Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < ae76cf6c2c842944c6514c57df54d728f1916553 (git)
Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < 9cd536970192b72257afcdfba0bfc09993e6f19c (git)
Affected: 505ea2b295929e7be2b4e1bc86ee31cb7862fb01 , < 09b0cd1297b4dbfe736aeaa0ceeab2265f47f772 (git)
Affected: 357603f4d396d85fbf0045512efaf1d7f7394ed7 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_sync.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0a94f7e017438935c09ef833a1aa908ad9875213",
              "status": "affected",
              "version": "f00f36db76eb8fd10d13e80e2590f23b5beaa54d",
              "versionType": "git"
            },
            {
              "lessThan": "932c0a4f77ac13e526fdd5b42914d29c9821d389",
              "status": "affected",
              "version": "1499f79995c7ee58e3bfeeff75f6d1b37dcda881",
              "versionType": "git"
            },
            {
              "lessThan": "ae76cf6c2c842944c6514c57df54d728f1916553",
              "status": "affected",
              "version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
              "versionType": "git"
            },
            {
              "lessThan": "9cd536970192b72257afcdfba0bfc09993e6f19c",
              "status": "affected",
              "version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
              "versionType": "git"
            },
            {
              "lessThan": "09b0cd1297b4dbfe736aeaa0ceeab2265f47f772",
              "status": "affected",
              "version": "505ea2b295929e7be2b4e1bc86ee31cb7862fb01",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "357603f4d396d85fbf0045512efaf1d7f7394ed7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_sync.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1.120",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.6.51",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once\n\nhci_cmd_sync_dequeue_once() does lookup and then cancel\nthe entry under two separate lock sections. Meanwhile,\nhci_cmd_sync_work() can also delete the same entry,\nleading to double list_del() and \"UAF\".\n\nFix this by holding cmd_sync_work_lock across both\nlookup and cancel, so that the entry cannot be removed\nconcurrently."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:45.382Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0a94f7e017438935c09ef833a1aa908ad9875213"
        },
        {
          "url": "https://git.kernel.org/stable/c/932c0a4f77ac13e526fdd5b42914d29c9821d389"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae76cf6c2c842944c6514c57df54d728f1916553"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cd536970192b72257afcdfba0bfc09993e6f19c"
        },
        {
          "url": "https://git.kernel.org/stable/c/09b0cd1297b4dbfe736aeaa0ceeab2265f47f772"
        }
      ],
      "title": "Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40318",
    "datePublished": "2025-12-08T00:46:45.382Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2025-12-08T00:46:45.382Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50726 (GCVE-0-2022-50726)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22

Title

net/mlx5: Fix possible use-after-free in async command interface

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix possible use-after-free in async command interface mlx5_cmd_cleanup_async_ctx should return only after all its callback handlers were completed. Before this patch, the below race between mlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and lead to a use-after-free: 1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e. elevated by 1, a single inflight callback). 2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1. 3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and is about to call wake_up(). 4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns immediately as the condition (num_inflight == 0) holds. 5. mlx5_cmd_cleanup_async_ctx returns. 6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx object. 7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed object. Fix it by syncing using a completion object. Mark it completed when num_inflight reaches 0. Trace: BUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270 Read of size 4 at addr ffff888139cd12f4 by task swapper/5/0 CPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x57/0x7d print_report.cold+0x2d5/0x684 ? do_raw_spin_lock+0x23d/0x270 kasan_report+0xb1/0x1a0 ? do_raw_spin_lock+0x23d/0x270 do_raw_spin_lock+0x23d/0x270 ? rwlock_bug.part.0+0x90/0x90 ? __delete_object+0xb8/0x100 ? lock_downgrade+0x6e0/0x6e0 _raw_spin_lock_irqsave+0x43/0x60 ? __wake_up_common_lock+0xb9/0x140 __wake_up_common_lock+0xb9/0x140 ? __wake_up_common+0x650/0x650 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kasan_set_track+0x21/0x30 ? destroy_tis_callback+0x53/0x70 [mlx5_core] ? kfree+0x1ba/0x520 ? do_raw_spin_unlock+0x54/0x220 mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core] mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core] ? dump_command+0xcc0/0xcc0 [mlx5_core] ? lockdep_hardirqs_on_prepare+0x400/0x400 ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core] cmd_comp_notifier+0x7e/0xb0 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core] atomic_notifier_call_chain+0xd7/0x1d0 ? irq_release+0x140/0x140 [mlx5_core] irq_int_handler+0x19/0x30 [mlx5_core] __handle_irq_event_percpu+0x1f2/0x620 handle_irq_event+0xb2/0x1d0 handle_edge_irq+0x21e/0xb00 __common_interrupt+0x79/0x1a0 common_interrupt+0x78/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 RIP: 0010:default_idle+0x42/0x60 Code: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 <c3> 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00 RSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242 RAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110 RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc RBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3 R10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005 R13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000 ? default_idle_call+0xcc/0x450 default_idle_call+0xec/0x450 do_idle+0x394/0x450 ? arch_cpu_idle_exit+0x40/0x40 ? do_idle+0x17/0x450 cpu_startup_entry+0x19/0x20 start_secondary+0x221/0x2b0 ? set_cpu_sibling_map+0x2070/0x2070 secondary_startup_64_no_verify+0xcd/0xdb </TASK> Allocated by task 49502: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 kvmalloc_node+0x48/0xe0 mlx5e_bulk_async_init+0x35/0x110 [mlx5_core] mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core] mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core] mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core] mlx5e_detach_netdev+0x1c ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/69dd3ad406c49aa69…
	https://git.kernel.org/stable/c/bbcc06933f3565129…
	https://git.kernel.org/stable/c/ab3de780c176bb919…
	https://git.kernel.org/stable/c/0aa3ee1e4e5c9ed5d…
	https://git.kernel.org/stable/c/bacd22df95147ed67…

Impacted products

Vendor

Product

Version

Linux

Affected: e355477ed9e4f401e3931043df97325d38552d54 , < 69dd3ad406c49aa69ce4852c15231ac56af8caf9 (git)
Affected: e355477ed9e4f401e3931043df97325d38552d54 , < bbcc06933f35651294ea1e963757502312c2171f (git)
Affected: e355477ed9e4f401e3931043df97325d38552d54 , < ab3de780c176bb91995c6166a576b370d9726e17 (git)
Affected: e355477ed9e4f401e3931043df97325d38552d54 , < 0aa3ee1e4e5c9ed5dda11249450d609c3072c54e (git)
Affected: e355477ed9e4f401e3931043df97325d38552d54 , < bacd22df95147ed673bec4692ab2d4d585935241 (git)

Linux

Affected: 5.1
Unaffected: 0 , < 5.1 (semver)
Unaffected: 5.4.223 , ≤ 5.4.* (semver)
Unaffected: 5.10.153 , ≤ 5.10.* (semver)
Unaffected: 5.15.77 , ≤ 5.15.* (semver)
Unaffected: 6.0.7 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/cmd.c",
            "include/linux/mlx5/driver.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "69dd3ad406c49aa69ce4852c15231ac56af8caf9",
              "status": "affected",
              "version": "e355477ed9e4f401e3931043df97325d38552d54",
              "versionType": "git"
            },
            {
              "lessThan": "bbcc06933f35651294ea1e963757502312c2171f",
              "status": "affected",
              "version": "e355477ed9e4f401e3931043df97325d38552d54",
              "versionType": "git"
            },
            {
              "lessThan": "ab3de780c176bb91995c6166a576b370d9726e17",
              "status": "affected",
              "version": "e355477ed9e4f401e3931043df97325d38552d54",
              "versionType": "git"
            },
            {
              "lessThan": "0aa3ee1e4e5c9ed5dda11249450d609c3072c54e",
              "status": "affected",
              "version": "e355477ed9e4f401e3931043df97325d38552d54",
              "versionType": "git"
            },
            {
              "lessThan": "bacd22df95147ed673bec4692ab2d4d585935241",
              "status": "affected",
              "version": "e355477ed9e4f401e3931043df97325d38552d54",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/cmd.c",
            "include/linux/mlx5/driver.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.223",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.223",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.153",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.77",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.7",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix possible use-after-free in async command interface\n\nmlx5_cmd_cleanup_async_ctx should return only after all its callback\nhandlers were completed. Before this patch, the below race between\nmlx5_cmd_cleanup_async_ctx and mlx5_cmd_exec_cb_handler was possible and\nlead to a use-after-free:\n\n1. mlx5_cmd_cleanup_async_ctx is called while num_inflight is 2 (i.e.\n   elevated by 1, a single inflight callback).\n2. mlx5_cmd_cleanup_async_ctx decreases num_inflight to 1.\n3. mlx5_cmd_exec_cb_handler is called, decreases num_inflight to 0 and\n   is about to call wake_up().\n4. mlx5_cmd_cleanup_async_ctx calls wait_event, which returns\n   immediately as the condition (num_inflight == 0) holds.\n5. mlx5_cmd_cleanup_async_ctx returns.\n6. The caller of mlx5_cmd_cleanup_async_ctx frees the mlx5_async_ctx\n   object.\n7. mlx5_cmd_exec_cb_handler goes on and calls wake_up() on the freed\n   object.\n\nFix it by syncing using a completion object. Mark it completed when\nnum_inflight reaches 0.\n\nTrace:\n\nBUG: KASAN: use-after-free in do_raw_spin_lock+0x23d/0x270\nRead of size 4 at addr ffff888139cd12f4 by task swapper/5/0\n\nCPU: 5 PID: 0 Comm: swapper/5 Not tainted 6.0.0-rc3_for_upstream_debug_2022_08_30_13_10 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl+0x57/0x7d\n print_report.cold+0x2d5/0x684\n ? do_raw_spin_lock+0x23d/0x270\n kasan_report+0xb1/0x1a0\n ? do_raw_spin_lock+0x23d/0x270\n do_raw_spin_lock+0x23d/0x270\n ? rwlock_bug.part.0+0x90/0x90\n ? __delete_object+0xb8/0x100\n ? lock_downgrade+0x6e0/0x6e0\n _raw_spin_lock_irqsave+0x43/0x60\n ? __wake_up_common_lock+0xb9/0x140\n __wake_up_common_lock+0xb9/0x140\n ? __wake_up_common+0x650/0x650\n ? destroy_tis_callback+0x53/0x70 [mlx5_core]\n ? kasan_set_track+0x21/0x30\n ? destroy_tis_callback+0x53/0x70 [mlx5_core]\n ? kfree+0x1ba/0x520\n ? do_raw_spin_unlock+0x54/0x220\n mlx5_cmd_exec_cb_handler+0x136/0x1a0 [mlx5_core]\n ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\n ? mlx5_cmd_cleanup_async_ctx+0x220/0x220 [mlx5_core]\n mlx5_cmd_comp_handler+0x65a/0x12b0 [mlx5_core]\n ? dump_command+0xcc0/0xcc0 [mlx5_core]\n ? lockdep_hardirqs_on_prepare+0x400/0x400\n ? cmd_comp_notifier+0x7e/0xb0 [mlx5_core]\n cmd_comp_notifier+0x7e/0xb0 [mlx5_core]\n atomic_notifier_call_chain+0xd7/0x1d0\n mlx5_eq_async_int+0x3ce/0xa20 [mlx5_core]\n atomic_notifier_call_chain+0xd7/0x1d0\n ? irq_release+0x140/0x140 [mlx5_core]\n irq_int_handler+0x19/0x30 [mlx5_core]\n __handle_irq_event_percpu+0x1f2/0x620\n handle_irq_event+0xb2/0x1d0\n handle_edge_irq+0x21e/0xb00\n __common_interrupt+0x79/0x1a0\n common_interrupt+0x78/0xa0\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n asm_common_interrupt+0x22/0x40\nRIP: 0010:default_idle+0x42/0x60\nCode: c1 83 e0 07 48 c1 e9 03 83 c0 03 0f b6 14 11 38 d0 7c 04 84 d2 75 14 8b 05 eb 47 22 02 85 c0 7e 07 0f 00 2d e0 9f 48 00 fb f4 \u003cc3\u003e 48 c7 c7 80 08 7f 85 e8 d1 d3 3e fe eb de 66 66 2e 0f 1f 84 00\nRSP: 0018:ffff888100dbfdf0 EFLAGS: 00000242\nRAX: 0000000000000001 RBX: ffffffff84ecbd48 RCX: 1ffffffff0afe110\nRDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff835cc9bc\nRBP: 0000000000000005 R08: 0000000000000001 R09: ffff88881dec4ac3\nR10: ffffed1103bd8958 R11: 0000017d0ca571c9 R12: 0000000000000005\nR13: ffffffff84f024e0 R14: 0000000000000000 R15: dffffc0000000000\n ? default_idle_call+0xcc/0x450\n default_idle_call+0xec/0x450\n do_idle+0x394/0x450\n ? arch_cpu_idle_exit+0x40/0x40\n ? do_idle+0x17/0x450\n cpu_startup_entry+0x19/0x20\n start_secondary+0x221/0x2b0\n ? set_cpu_sibling_map+0x2070/0x2070\n secondary_startup_64_no_verify+0xcd/0xdb\n \u003c/TASK\u003e\n\nAllocated by task 49502:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n kvmalloc_node+0x48/0xe0\n mlx5e_bulk_async_init+0x35/0x110 [mlx5_core]\n mlx5e_tls_priv_tx_list_cleanup+0x84/0x3e0 [mlx5_core]\n mlx5e_ktls_cleanup_tx+0x38f/0x760 [mlx5_core]\n mlx5e_cleanup_nic_tx+0xa7/0x100 [mlx5_core]\n mlx5e_detach_netdev+0x1c\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:22:47.625Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/69dd3ad406c49aa69ce4852c15231ac56af8caf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbcc06933f35651294ea1e963757502312c2171f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab3de780c176bb91995c6166a576b370d9726e17"
        },
        {
          "url": "https://git.kernel.org/stable/c/0aa3ee1e4e5c9ed5dda11249450d609c3072c54e"
        },
        {
          "url": "https://git.kernel.org/stable/c/bacd22df95147ed673bec4692ab2d4d585935241"
        }
      ],
      "title": "net/mlx5: Fix possible use-after-free in async command interface",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50726",
    "datePublished": "2025-12-24T12:22:47.625Z",
    "dateReserved": "2025-12-24T12:20:40.330Z",
    "dateUpdated": "2025-12-24T12:22:47.625Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50649 (GCVE-0-2022-50649)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-23 13:30

Title

power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()

Summary

In the Linux kernel, the following vulnerability has been resolved: power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length of 8, but adp5061_chg_type array size is 4, may end up reading 4 elements beyond the end of the adp5061_chg_type[] array.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/24a0be36e9a21f63d…
	https://git.kernel.org/stable/c/3376a0cf138dfc90b…
	https://git.kernel.org/stable/c/89f305a71418591cd…
	https://git.kernel.org/stable/c/7c8bc374659de19d8…
	https://git.kernel.org/stable/c/038e4aa71281d0cbc…
	https://git.kernel.org/stable/c/dc52b73d3acd676cc…
	https://git.kernel.org/stable/c/9d47e01b9d8078082…

Impacted products

Vendor

Product

Version

Linux

Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 24a0be36e9a21f63de2e6088607e689e59ec15f4 (git)
Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 3376a0cf138dfc90b449fde541ca228a33e1c143 (git)
Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 89f305a71418591cdda18180f712f91c9820f03b (git)
Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 7c8bc374659de19d846f7cab3eda9ebdb005c4cc (git)
Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 038e4aa71281d0cbc8aeb56ba05ff7fc5653a106 (git)
Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < dc52b73d3acd676ccbb440fcec617c547b903af2 (git)
Affected: fe8e81b7e899968690e5e87c25727178921b5b9a , < 9d47e01b9d807808224347935562f7043a358054 (git)

Linux

Affected: 4.19
Unaffected: 0 , < 4.19 (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/power/supply/adp5061.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "24a0be36e9a21f63de2e6088607e689e59ec15f4",
              "status": "affected",
              "version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
              "versionType": "git"
            },
            {
              "lessThan": "3376a0cf138dfc90b449fde541ca228a33e1c143",
              "status": "affected",
              "version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
              "versionType": "git"
            },
            {
              "lessThan": "89f305a71418591cdda18180f712f91c9820f03b",
              "status": "affected",
              "version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
              "versionType": "git"
            },
            {
              "lessThan": "7c8bc374659de19d846f7cab3eda9ebdb005c4cc",
              "status": "affected",
              "version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
              "versionType": "git"
            },
            {
              "lessThan": "038e4aa71281d0cbc8aeb56ba05ff7fc5653a106",
              "status": "affected",
              "version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
              "versionType": "git"
            },
            {
              "lessThan": "dc52b73d3acd676ccbb440fcec617c547b903af2",
              "status": "affected",
              "version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
              "versionType": "git"
            },
            {
              "lessThan": "9d47e01b9d807808224347935562f7043a358054",
              "status": "affected",
              "version": "fe8e81b7e899968690e5e87c25727178921b5b9a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/power/supply/adp5061.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()\n\nADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length\nof 8, but adp5061_chg_type array size is 4, may end up reading 4 elements\nbeyond the end of the adp5061_chg_type[] array."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:30:26.076Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/24a0be36e9a21f63de2e6088607e689e59ec15f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/3376a0cf138dfc90b449fde541ca228a33e1c143"
        },
        {
          "url": "https://git.kernel.org/stable/c/89f305a71418591cdda18180f712f91c9820f03b"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c8bc374659de19d846f7cab3eda9ebdb005c4cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/038e4aa71281d0cbc8aeb56ba05ff7fc5653a106"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc52b73d3acd676ccbb440fcec617c547b903af2"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d47e01b9d807808224347935562f7043a358054"
        }
      ],
      "title": "power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50649",
    "datePublished": "2025-12-09T00:00:23.331Z",
    "dateReserved": "2025-12-08T23:57:43.371Z",
    "dateUpdated": "2025-12-23T13:30:26.076Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50823 (GCVE-0-2022-50823)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08

Title

clk: tegra: Fix refcount leak in tegra114_clock_init

Summary

In the Linux kernel, the following vulnerability has been resolved: clk: tegra: Fix refcount leak in tegra114_clock_init of_find_matching_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1f0e1cbbaffd72956…
	https://git.kernel.org/stable/c/ce699dcdac2bfdb6b…
	https://git.kernel.org/stable/c/8cc87a9c142ae0e27…
	https://git.kernel.org/stable/c/5984b1d66126b024e…
	https://git.kernel.org/stable/c/c01bfd23cc13a420b…
	https://git.kernel.org/stable/c/e7a57fb92af52c4da…
	https://git.kernel.org/stable/c/8e1fe30253930c6a6…
	https://git.kernel.org/stable/c/a7d3fb5814c73d7d4…
	https://git.kernel.org/stable/c/db16a80c76ea39576…

Impacted products

Vendor

Product

Version

Linux

Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < 1f0e1cbbaffd729560716e9592aa5e609ea93bb6 (git)
Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < ce699dcdac2bfdb6b238f2517ba41d9623b15f46 (git)
Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < 8cc87a9c142ae0e276a3ff9ce50f78a1668da36f (git)
Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < 5984b1d66126b024ee77482602ac6e51b53f4116 (git)
Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < c01bfd23cc13a420b3f6a36bcab98410f49d480d (git)
Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < e7a57fb92af52c4da69cd947752e8946e5ada50a (git)
Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < 8e1fe30253930c6a67385c19802c5ab8706a76d9 (git)
Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < a7d3fb5814c73d7d49913e4294f8f508a3038bb4 (git)
Affected: 2cb5efefd6f7d3e7df9a7430b910a80515821256 , < db16a80c76ea395766913082b1e3f939dde29b2c (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 4.9.331 , ≤ 4.9.* (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/tegra/clk-tegra114.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1f0e1cbbaffd729560716e9592aa5e609ea93bb6",
              "status": "affected",
              "version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
              "versionType": "git"
            },
            {
              "lessThan": "ce699dcdac2bfdb6b238f2517ba41d9623b15f46",
              "status": "affected",
              "version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
              "versionType": "git"
            },
            {
              "lessThan": "8cc87a9c142ae0e276a3ff9ce50f78a1668da36f",
              "status": "affected",
              "version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
              "versionType": "git"
            },
            {
              "lessThan": "5984b1d66126b024ee77482602ac6e51b53f4116",
              "status": "affected",
              "version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
              "versionType": "git"
            },
            {
              "lessThan": "c01bfd23cc13a420b3f6a36bcab98410f49d480d",
              "status": "affected",
              "version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
              "versionType": "git"
            },
            {
              "lessThan": "e7a57fb92af52c4da69cd947752e8946e5ada50a",
              "status": "affected",
              "version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
              "versionType": "git"
            },
            {
              "lessThan": "8e1fe30253930c6a67385c19802c5ab8706a76d9",
              "status": "affected",
              "version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
              "versionType": "git"
            },
            {
              "lessThan": "a7d3fb5814c73d7d49913e4294f8f508a3038bb4",
              "status": "affected",
              "version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
              "versionType": "git"
            },
            {
              "lessThan": "db16a80c76ea395766913082b1e3f939dde29b2c",
              "status": "affected",
              "version": "2cb5efefd6f7d3e7df9a7430b910a80515821256",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/tegra/clk-tegra114.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.331",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.331",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: tegra: Fix refcount leak in tegra114_clock_init\n\nof_find_matching_node() returns a node pointer with refcount\nincremented, we should use of_node_put() on it when not need anymore.\nAdd missing of_node_put() to avoid refcount leak."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:08:36.911Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1f0e1cbbaffd729560716e9592aa5e609ea93bb6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce699dcdac2bfdb6b238f2517ba41d9623b15f46"
        },
        {
          "url": "https://git.kernel.org/stable/c/8cc87a9c142ae0e276a3ff9ce50f78a1668da36f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5984b1d66126b024ee77482602ac6e51b53f4116"
        },
        {
          "url": "https://git.kernel.org/stable/c/c01bfd23cc13a420b3f6a36bcab98410f49d480d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7a57fb92af52c4da69cd947752e8946e5ada50a"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e1fe30253930c6a67385c19802c5ab8706a76d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7d3fb5814c73d7d49913e4294f8f508a3038bb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/db16a80c76ea395766913082b1e3f939dde29b2c"
        }
      ],
      "title": "clk: tegra: Fix refcount leak in tegra114_clock_init",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50823",
    "datePublished": "2025-12-30T12:08:36.911Z",
    "dateReserved": "2025-12-30T12:06:07.131Z",
    "dateUpdated": "2025-12-30T12:08:36.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68307 (GCVE-0-2025-68307)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs

Summary

In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs The driver lacks the cleanup of failed transfers of URBs. This reduces the number of available URBs per error by 1. This leads to reduced performance and ultimately to a complete stop of the transmission. If the sending of a bulk URB fails do proper cleanup: - increase netdev stats - mark the echo_sbk as free - free the driver's context and do accounting - wake the send queue

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f7a5560675bd85efa…
	https://git.kernel.org/stable/c/1a588c40a422a3663…
	https://git.kernel.org/stable/c/4a82072e451eacf24…
	https://git.kernel.org/stable/c/9c8eb33b7008178b6…
	https://git.kernel.org/stable/c/516a0cd1c03fa266b…

Impacted products

Vendor

Product

Version

Linux

Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < f7a5560675bd85efaf16ab01a43053670ff2b000 (git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 1a588c40a422a3663a52f1c5535e8fb6b044167d (git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 4a82072e451eacf24fc66a445e906f5095d215db (git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 9c8eb33b7008178b6ce88aa7593d12063ce60ca3 (git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 516a0cd1c03fa266bb67dd87940a209fd4e53ce7 (git)

Linux

Affected: 3.16
Unaffected: 0 , < 3.16 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/gs_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f7a5560675bd85efaf16ab01a43053670ff2b000",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            },
            {
              "lessThan": "1a588c40a422a3663a52f1c5535e8fb6b044167d",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            },
            {
              "lessThan": "4a82072e451eacf24fc66a445e906f5095d215db",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            },
            {
              "lessThan": "9c8eb33b7008178b6ce88aa7593d12063ce60ca3",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            },
            {
              "lessThan": "516a0cd1c03fa266bb67dd87940a209fd4e53ce7",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/gs_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs\n\nThe driver lacks the cleanup of failed transfers of URBs. This reduces the\nnumber of available URBs per error by 1. This leads to reduced performance\nand ultimately to a complete stop of the transmission.\n\nIf the sending of a bulk URB fails do proper cleanup:\n- increase netdev stats\n- mark the echo_sbk as free\n- free the driver\u0027s context and do accounting\n- wake the send queue"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:24.271Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f7a5560675bd85efaf16ab01a43053670ff2b000"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a588c40a422a3663a52f1c5535e8fb6b044167d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a82072e451eacf24fc66a445e906f5095d215db"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c8eb33b7008178b6ce88aa7593d12063ce60ca3"
        },
        {
          "url": "https://git.kernel.org/stable/c/516a0cd1c03fa266bb67dd87940a209fd4e53ce7"
        }
      ],
      "title": "can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68307",
    "datePublished": "2025-12-16T15:06:24.271Z",
    "dateReserved": "2025-12-16T14:48:05.294Z",
    "dateUpdated": "2025-12-16T15:06:24.271Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68335 (GCVE-0-2025-68335)

Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-01-19 12:18

Title

comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from the fact that in case of early device detach via pcl818_detach(), subdevice dev->read_subdev may not have initialized its pointer to &struct comedi_async as intended. Thus, any such dereferencing of &s->async->cmd will lead to general protection fault and kernel crash. Mitigate this problem by removing a call to pcl818_ai_cancel() from pcl818_detach() altogether. This way, if the subdevice setups its support for async commands, everything async-related will be handled via subdevice's own ->cancel() function in comedi_device_detach_locked() even before pcl818_detach(). If no support for asynchronous commands is provided, there is no need to cancel anything either. [1] Syzbot crash: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762 ... Call Trace: <TASK> pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115 comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207 do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline] comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] ...

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b2a5b172dc05be6c4…
	https://git.kernel.org/stable/c/935ad4b3c325c24ff…
	https://git.kernel.org/stable/c/88d99ca5adbd01ff0…
	https://git.kernel.org/stable/c/5caa40e7c6a43e08e…
	https://git.kernel.org/stable/c/d948c53dec36dafe1…
	https://git.kernel.org/stable/c/877adccfacb32687b…
	https://git.kernel.org/stable/c/a51f025b5038abd3d…

Impacted products

Vendor

Product

Version

Linux

Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16 (git)
Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 935ad4b3c325c24fff2c702da403283025ffc722 (git)
Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 88d99ca5adbd01ff088f5fb2ddeba5755e085e52 (git)
Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 5caa40e7c6a43e08e3574f990865127705c22861 (git)
Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < d948c53dec36dafe182631457597c49c1f1df5ea (git)
Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < 877adccfacb32687b90714a27cfb09f444fdfa16 (git)
Affected: 00aba6e7b5653a6607238ecdab7172318059d984 , < a51f025b5038abd3d22eed2ede4cd46793d89565 (git)

Linux

Affected: 3.15
Unaffected: 0 , < 3.15 (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.62 , ≤ 6.12.* (semver)
Unaffected: 6.17.12 , ≤ 6.17.* (semver)
Unaffected: 6.18.1 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/pcl818.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16",
              "status": "affected",
              "version": "00aba6e7b5653a6607238ecdab7172318059d984",
              "versionType": "git"
            },
            {
              "lessThan": "935ad4b3c325c24fff2c702da403283025ffc722",
              "status": "affected",
              "version": "00aba6e7b5653a6607238ecdab7172318059d984",
              "versionType": "git"
            },
            {
              "lessThan": "88d99ca5adbd01ff088f5fb2ddeba5755e085e52",
              "status": "affected",
              "version": "00aba6e7b5653a6607238ecdab7172318059d984",
              "versionType": "git"
            },
            {
              "lessThan": "5caa40e7c6a43e08e3574f990865127705c22861",
              "status": "affected",
              "version": "00aba6e7b5653a6607238ecdab7172318059d984",
              "versionType": "git"
            },
            {
              "lessThan": "d948c53dec36dafe182631457597c49c1f1df5ea",
              "status": "affected",
              "version": "00aba6e7b5653a6607238ecdab7172318059d984",
              "versionType": "git"
            },
            {
              "lessThan": "877adccfacb32687b90714a27cfb09f444fdfa16",
              "status": "affected",
              "version": "00aba6e7b5653a6607238ecdab7172318059d984",
              "versionType": "git"
            },
            {
              "lessThan": "a51f025b5038abd3d22eed2ede4cd46793d89565",
              "status": "affected",
              "version": "00aba6e7b5653a6607238ecdab7172318059d984",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/pcl818.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.15"
            },
            {
              "lessThan": "3.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.62",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.62",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.12",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.1",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()\n\nSyzbot identified an issue [1] in pcl818_ai_cancel(), which stems from\nthe fact that in case of early device detach via pcl818_detach(),\nsubdevice dev-\u003eread_subdev may not have initialized its pointer to\n\u0026struct comedi_async as intended. Thus, any such dereferencing of\n\u0026s-\u003easync-\u003ecmd will lead to general protection fault and kernel crash.\n\nMitigate this problem by removing a call to pcl818_ai_cancel() from\npcl818_detach() altogether. This way, if the subdevice setups its\nsupport for async commands, everything async-related will be\nhandled via subdevice\u0027s own -\u003ecancel() function in\ncomedi_device_detach_locked() even before pcl818_detach(). If no\nsupport for asynchronous commands is provided, there is no need\nto cancel anything either.\n\n[1] Syzbot crash:\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\nCPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025\nRIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762\n...\nCall Trace:\n \u003cTASK\u003e\n pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115\n comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207\n do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]\n comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:20.046Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b2a5b172dc05be6c4f2c5542c1bbc6b14d60ff16"
        },
        {
          "url": "https://git.kernel.org/stable/c/935ad4b3c325c24fff2c702da403283025ffc722"
        },
        {
          "url": "https://git.kernel.org/stable/c/88d99ca5adbd01ff088f5fb2ddeba5755e085e52"
        },
        {
          "url": "https://git.kernel.org/stable/c/5caa40e7c6a43e08e3574f990865127705c22861"
        },
        {
          "url": "https://git.kernel.org/stable/c/d948c53dec36dafe182631457597c49c1f1df5ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/877adccfacb32687b90714a27cfb09f444fdfa16"
        },
        {
          "url": "https://git.kernel.org/stable/c/a51f025b5038abd3d22eed2ede4cd46793d89565"
        }
      ],
      "title": "comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68335",
    "datePublished": "2025-12-22T16:14:12.614Z",
    "dateReserved": "2025-12-16T14:48:05.297Z",
    "dateUpdated": "2026-01-19T12:18:20.046Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68352 (GCVE-0-2025-68352)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2025-12-24 10:32

Title

spi: ch341: fix out-of-bounds memory access in ch341_transfer_one

Summary

In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix out-of-bounds memory access in ch341_transfer_one Discovered by Atuin - Automated Vulnerability Discovery Engine. The 'len' variable is calculated as 'min(32, trans->len + 1)', which includes the 1-byte command header. When copying data from 'trans->tx_buf' to 'ch341->tx_buf + 1', using 'len' as the length is incorrect because: 1. It causes an out-of-bounds read from 'trans->tx_buf' (which has size 'trans->len', i.e., 'len - 1' in this context). 2. It can cause an out-of-bounds write to 'ch341->tx_buf' if 'len' is CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341->tx_buf + 1 overflows the buffer. Fix this by copying 'len - 1' bytes.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cad6c0fd6f3c0e76a…
	https://git.kernel.org/stable/c/ea1e43966cd03098f…
	https://git.kernel.org/stable/c/81841da1f30f66a85…
	https://git.kernel.org/stable/c/545d1287e40a55242…

Impacted products

Vendor

Product

Version

Linux

Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974 (git)
Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < ea1e43966cd03098fcd5f0d72e6c2901d45fa08d (git)
Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < 81841da1f30f66a850cc8796d99ba330aad9d696 (git)
Affected: 8846739f52afa07e63395c80227dc544f54bd7b1 , < 545d1287e40a55242f6ab68bcc1ba3b74088b1bc (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-ch341.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974",
              "status": "affected",
              "version": "8846739f52afa07e63395c80227dc544f54bd7b1",
              "versionType": "git"
            },
            {
              "lessThan": "ea1e43966cd03098fcd5f0d72e6c2901d45fa08d",
              "status": "affected",
              "version": "8846739f52afa07e63395c80227dc544f54bd7b1",
              "versionType": "git"
            },
            {
              "lessThan": "81841da1f30f66a850cc8796d99ba330aad9d696",
              "status": "affected",
              "version": "8846739f52afa07e63395c80227dc544f54bd7b1",
              "versionType": "git"
            },
            {
              "lessThan": "545d1287e40a55242f6ab68bcc1ba3b74088b1bc",
              "status": "affected",
              "version": "8846739f52afa07e63395c80227dc544f54bd7b1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-ch341.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: ch341: fix out-of-bounds memory access in ch341_transfer_one\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nThe \u0027len\u0027 variable is calculated as \u0027min(32, trans-\u003elen + 1)\u0027,\nwhich includes the 1-byte command header.\n\nWhen copying data from \u0027trans-\u003etx_buf\u0027 to \u0027ch341-\u003etx_buf + 1\u0027, using \u0027len\u0027\nas the length is incorrect because:\n\n1. It causes an out-of-bounds read from \u0027trans-\u003etx_buf\u0027 (which has size\n   \u0027trans-\u003elen\u0027, i.e., \u0027len - 1\u0027 in this context).\n2. It can cause an out-of-bounds write to \u0027ch341-\u003etx_buf\u0027 if \u0027len\u0027 is\n   CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341-\u003etx_buf + 1\n   overflows the buffer.\n\nFix this by copying \u0027len - 1\u0027 bytes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:32:43.366Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cad6c0fd6f3c0e76a1f75df4bce3b08a13f08974"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea1e43966cd03098fcd5f0d72e6c2901d45fa08d"
        },
        {
          "url": "https://git.kernel.org/stable/c/81841da1f30f66a850cc8796d99ba330aad9d696"
        },
        {
          "url": "https://git.kernel.org/stable/c/545d1287e40a55242f6ab68bcc1ba3b74088b1bc"
        }
      ],
      "title": "spi: ch341: fix out-of-bounds memory access in ch341_transfer_one",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68352",
    "datePublished": "2025-12-24T10:32:43.366Z",
    "dateReserved": "2025-12-16T14:48:05.300Z",
    "dateUpdated": "2025-12-24T10:32:43.366Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68244 (GCVE-0-2025-68244)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2025-12-16 14:21

Title

drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e988634d7aae72148…
	https://git.kernel.org/stable/c/20d94a6117b752fd1…
	https://git.kernel.org/stable/c/3dec22bde207a36f1…
	https://git.kernel.org/stable/c/4e73066e3323add26…
	https://git.kernel.org/stable/c/858a50127be714f55…
	https://git.kernel.org/stable/c/84bbe327a5cbb060f…

Impacted products

Vendor

Product

Version

Linux

Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < e988634d7aae7214818b9c86cd7ef9e78c84b02d (git)
Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 20d94a6117b752fd10a78cefdc1cf2c16706048b (git)
Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 3dec22bde207a36f1b8a4b80564cbbe13996a7cd (git)
Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 4e73066e3323add260e46eb51f79383d87950281 (git)
Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 858a50127be714f55c3bcb25621028d4a323d77e (git)
Affected: 7d1c2618eac590d948eb33b9807d913ddb6e105f , < 84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/i915_vma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e988634d7aae7214818b9c86cd7ef9e78c84b02d",
              "status": "affected",
              "version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
              "versionType": "git"
            },
            {
              "lessThan": "20d94a6117b752fd10a78cefdc1cf2c16706048b",
              "status": "affected",
              "version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
              "versionType": "git"
            },
            {
              "lessThan": "3dec22bde207a36f1b8a4b80564cbbe13996a7cd",
              "status": "affected",
              "version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
              "versionType": "git"
            },
            {
              "lessThan": "4e73066e3323add260e46eb51f79383d87950281",
              "status": "affected",
              "version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
              "versionType": "git"
            },
            {
              "lessThan": "858a50127be714f55c3bcb25621028d4a323d77e",
              "status": "affected",
              "version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
              "versionType": "git"
            },
            {
              "lessThan": "84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b",
              "status": "affected",
              "version": "7d1c2618eac590d948eb33b9807d913ddb6e105f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/i915_vma.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD\n\nOn completion of i915_vma_pin_ww(), a synchronous variant of\ndma_fence_work_commit() is called.  When pinning a VMA to GGTT address\nspace on a Cherry View family processor, or on a Broxton generation SoC\nwith VTD enabled, i.e., when stop_machine() is then called from\nintel_ggtt_bind_vma(), that can potentially lead to lock inversion among\nreservation_ww and cpu_hotplug locks.\n\n[86.861179] ======================================================\n[86.861193] WARNING: possible circular locking dependency detected\n[86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G     U\n[86.861226] ------------------------------------------------------\n[86.861238] i915_module_loa/1432 is trying to acquire lock:\n[86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50\n[86.861290]\nbut task is already holding lock:\n[86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915]\n[86.862233]\nwhich lock already depends on the new lock.\n[86.862251]\nthe existing dependency chain (in reverse order) is:\n[86.862265]\n-\u003e #5 (reservation_ww_class_mutex){+.+.}-{3:3}:\n[86.862292]        dma_resv_lockdep+0x19a/0x390\n[86.862315]        do_one_initcall+0x60/0x3f0\n[86.862334]        kernel_init_freeable+0x3cd/0x680\n[86.862353]        kernel_init+0x1b/0x200\n[86.862369]        ret_from_fork+0x47/0x70\n[86.862383]        ret_from_fork_asm+0x1a/0x30\n[86.862399]\n-\u003e #4 (reservation_ww_class_acquire){+.+.}-{0:0}:\n[86.862425]        dma_resv_lockdep+0x178/0x390\n[86.862440]        do_one_initcall+0x60/0x3f0\n[86.862454]        kernel_init_freeable+0x3cd/0x680\n[86.862470]        kernel_init+0x1b/0x200\n[86.862482]        ret_from_fork+0x47/0x70\n[86.862495]        ret_from_fork_asm+0x1a/0x30\n[86.862509]\n-\u003e #3 (\u0026mm-\u003emmap_lock){++++}-{3:3}:\n[86.862531]        down_read_killable+0x46/0x1e0\n[86.862546]        lock_mm_and_find_vma+0xa2/0x280\n[86.862561]        do_user_addr_fault+0x266/0x8e0\n[86.862578]        exc_page_fault+0x8a/0x2f0\n[86.862593]        asm_exc_page_fault+0x27/0x30\n[86.862607]        filldir64+0xeb/0x180\n[86.862620]        kernfs_fop_readdir+0x118/0x480\n[86.862635]        iterate_dir+0xcf/0x2b0\n[86.862648]        __x64_sys_getdents64+0x84/0x140\n[86.862661]        x64_sys_call+0x1058/0x2660\n[86.862675]        do_syscall_64+0x91/0xe90\n[86.862689]        entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[86.862703]\n-\u003e #2 (\u0026root-\u003ekernfs_rwsem){++++}-{3:3}:\n[86.862725]        down_write+0x3e/0xf0\n[86.862738]        kernfs_add_one+0x30/0x3c0\n[86.862751]        kernfs_create_dir_ns+0x53/0xb0\n[86.862765]        internal_create_group+0x134/0x4c0\n[86.862779]        sysfs_create_group+0x13/0x20\n[86.862792]        topology_add_dev+0x1d/0x30\n[86.862806]        cpuhp_invoke_callback+0x4b5/0x850\n[86.862822]        cpuhp_issue_call+0xbf/0x1f0\n[86.862836]        __cpuhp_setup_state_cpuslocked+0x111/0x320\n[86.862852]        __cpuhp_setup_state+0xb0/0x220\n[86.862866]        topology_sysfs_init+0x30/0x50\n[86.862879]        do_one_initcall+0x60/0x3f0\n[86.862893]        kernel_init_freeable+0x3cd/0x680\n[86.862908]        kernel_init+0x1b/0x200\n[86.862921]        ret_from_fork+0x47/0x70\n[86.862934]        ret_from_fork_asm+0x1a/0x30\n[86.862947]\n-\u003e #1 (cpuhp_state_mutex){+.+.}-{3:3}:\n[86.862969]        __mutex_lock+0xaa/0xed0\n[86.862982]        mutex_lock_nested+0x1b/0x30\n[86.862995]        __cpuhp_setup_state_cpuslocked+0x67/0x320\n[86.863012]        __cpuhp_setup_state+0xb0/0x220\n[86.863026]        page_alloc_init_cpuhp+0x2d/0x60\n[86.863041]        mm_core_init+0x22/0x2d0\n[86.863054]        start_kernel+0x576/0xbd0\n[86.863068]        x86_64_start_reservations+0x18/0x30\n[86.863084]        x86_64_start_kernel+0xbf/0x110\n[86.863098]        common_startup_64+0x13e/0x141\n[86.863114]\n-\u003e #0 (cpu_hotplug_lock){++++}-{0:0}:\n[86.863135]        __lock_acquire+0x16\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T14:21:21.277Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e988634d7aae7214818b9c86cd7ef9e78c84b02d"
        },
        {
          "url": "https://git.kernel.org/stable/c/20d94a6117b752fd10a78cefdc1cf2c16706048b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3dec22bde207a36f1b8a4b80564cbbe13996a7cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e73066e3323add260e46eb51f79383d87950281"
        },
        {
          "url": "https://git.kernel.org/stable/c/858a50127be714f55c3bcb25621028d4a323d77e"
        },
        {
          "url": "https://git.kernel.org/stable/c/84bbe327a5cbb060f3321c9d9d4d53936fc1ef9b"
        }
      ],
      "title": "drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68244",
    "datePublished": "2025-12-16T14:21:21.277Z",
    "dateReserved": "2025-12-16T13:41:40.263Z",
    "dateUpdated": "2025-12-16T14:21:21.277Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49733 (GCVE-0-2022-49733)

Vulnerability from cvelistv5 – Published: 2025-03-02 14:30 – Updated: 2025-12-23 13:25

Title

ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC There is a small race window at snd_pcm_oss_sync() that is called from OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls snd_pcm_oss_make_ready() at first, then takes the params_lock mutex for the rest. When the stream is set up again by another thread between them, it leads to inconsistency, and may result in unexpected results such as NULL dereference of OSS buffer as a fuzzer spotted recently. The fix is simply to cover snd_pcm_oss_make_ready() call into the same params_lock mutex with snd_pcm_oss_make_ready_locked() variant.

Severity ?

4.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4051324a6dafd7053…
	https://git.kernel.org/stable/c/fce793a056c604b41…
	https://git.kernel.org/stable/c/8015ef9e8a0ee5cec…
	https://git.kernel.org/stable/c/723ac5ab2891b6c10…
	https://git.kernel.org/stable/c/8423f0b6d513b259f…

Impacted products

Vendor

Product

Version

Linux

Affected: e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43 , < 4051324a6dafd7053c74c475e80b3ba10ae672b0 (git)
Affected: e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43 , < fce793a056c604b41a298317cf704dae255f1b36 (git)
Affected: e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43 , < 8015ef9e8a0ee5cecfd0cb6805834d007ab26f86 (git)
Affected: e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43 , < 723ac5ab2891b6c10dd6cc78ef5456af593490eb (git)
Affected: e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43 , < 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d (git)

Linux

Affected: 2.6.20
Unaffected: 0 , < 2.6.20 (semver)
Unaffected: 5.4.215 , ≤ 5.4.* (semver)
Unaffected: 5.10.148 , ≤ 5.10.* (semver)
Unaffected: 5.15.68 , ≤ 5.15.* (semver)
Unaffected: 5.19.9 , ≤ 5.19.* (semver)
Unaffected: 6.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 4.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-49733",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:28:32.574856Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:36:38.398Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/core/oss/pcm_oss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4051324a6dafd7053c74c475e80b3ba10ae672b0",
              "status": "affected",
              "version": "e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43",
              "versionType": "git"
            },
            {
              "lessThan": "fce793a056c604b41a298317cf704dae255f1b36",
              "status": "affected",
              "version": "e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43",
              "versionType": "git"
            },
            {
              "lessThan": "8015ef9e8a0ee5cecfd0cb6805834d007ab26f86",
              "status": "affected",
              "version": "e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43",
              "versionType": "git"
            },
            {
              "lessThan": "723ac5ab2891b6c10dd6cc78ef5456af593490eb",
              "status": "affected",
              "version": "e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43",
              "versionType": "git"
            },
            {
              "lessThan": "8423f0b6d513b259fdab9c9bf4aaa6188d054c2d",
              "status": "affected",
              "version": "e3a5d59a17e9a42e3f3e0e37342b2679bab2ff43",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/core/oss/pcm_oss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.20"
            },
            {
              "lessThan": "2.6.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.215",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.215",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.148",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.68",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.9",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "2.6.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC\n\nThere is a small race window at snd_pcm_oss_sync() that is called from\nOSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls\nsnd_pcm_oss_make_ready() at first, then takes the params_lock mutex\nfor the rest.  When the stream is set up again by another thread\nbetween them, it leads to inconsistency, and may result in unexpected\nresults such as NULL dereference of OSS buffer as a fuzzer spotted\nrecently.\n\nThe fix is simply to cover snd_pcm_oss_make_ready() call into the same\nparams_lock mutex with snd_pcm_oss_make_ready_locked() variant."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:25:18.948Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4051324a6dafd7053c74c475e80b3ba10ae672b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/fce793a056c604b41a298317cf704dae255f1b36"
        },
        {
          "url": "https://git.kernel.org/stable/c/8015ef9e8a0ee5cecfd0cb6805834d007ab26f86"
        },
        {
          "url": "https://git.kernel.org/stable/c/723ac5ab2891b6c10dd6cc78ef5456af593490eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/8423f0b6d513b259fdab9c9bf4aaa6188d054c2d"
        }
      ],
      "title": "ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49733",
    "datePublished": "2025-03-02T14:30:02.838Z",
    "dateReserved": "2025-02-26T02:21:30.449Z",
    "dateUpdated": "2025-12-23T13:25:18.948Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40337 (GCVE-0-2025-40337)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-02 15:33

Title

net: stmmac: Correctly handle Rx checksum offload errors

Summary

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/63fbe0e6413279d5e…
	https://git.kernel.org/stable/c/719fcdf29051f7471…
	https://git.kernel.org/stable/c/1aa319e0f12d2d761…
	https://git.kernel.org/stable/c/ee0aace5f844ef593…

Impacted products

Vendor

Product

Version

Linux

Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 63fbe0e6413279d5ea5842e2423e351ded547683 (git)
Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 719fcdf29051f7471d5d433475af76219019d33d (git)
Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < 1aa319e0f12d2d761a31556b82a5852c98eb0bea (git)
Affected: 3c20f72f9108b2fcf30ec63d8a4203736c01ccd0 , < ee0aace5f844ef59335148875d05bec8764e71e8 (git)

Linux

Affected: 3.2
Unaffected: 0 , < 3.2 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "63fbe0e6413279d5ea5842e2423e351ded547683",
              "status": "affected",
              "version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
              "versionType": "git"
            },
            {
              "lessThan": "719fcdf29051f7471d5d433475af76219019d33d",
              "status": "affected",
              "version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
              "versionType": "git"
            },
            {
              "lessThan": "1aa319e0f12d2d761a31556b82a5852c98eb0bea",
              "status": "affected",
              "version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
              "versionType": "git"
            },
            {
              "lessThan": "ee0aace5f844ef59335148875d05bec8764e71e8",
              "status": "affected",
              "version": "3c20f72f9108b2fcf30ec63d8a4203736c01ccd0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/stmmac_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: Correctly handle Rx checksum offload errors\n\nThe stmmac_rx function would previously set skb-\u003eip_summed to\nCHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled\nand the packet was of a known IP ethertype.\n\nHowever, this logic failed to check if the hardware had actually\nreported a checksum error. The hardware status, indicating a header or\npayload checksum failure, was being ignored at this stage. This could\ncause corrupt packets to be passed up the network stack as valid.\n\nThis patch corrects the logic by checking the `csum_none` status flag,\nwhich is set when the hardware reports a checksum error. If this flag\nis set, skb-\u003eip_summed is now correctly set to CHECKSUM_NONE,\nensuring the kernel\u0027s network stack will perform its own validation and\nproperly handle the corrupt packet."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:39.035Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/63fbe0e6413279d5ea5842e2423e351ded547683"
        },
        {
          "url": "https://git.kernel.org/stable/c/719fcdf29051f7471d5d433475af76219019d33d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1aa319e0f12d2d761a31556b82a5852c98eb0bea"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee0aace5f844ef59335148875d05bec8764e71e8"
        }
      ],
      "title": "net: stmmac: Correctly handle Rx checksum offload errors",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40337",
    "datePublished": "2025-12-09T04:09:53.808Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2026-01-02T15:33:39.035Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68308 (GCVE-0-2025-68308)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

can: kvaser_usb: leaf: Fix potential infinite loop in command parsers

Summary

In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: leaf: Fix potential infinite loop in command parsers The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback` functions contain logic to zero-length commands. These commands are used to align data to the USB endpoint's wMaxPacketSize boundary. The driver attempts to skip these placeholders by aligning the buffer position `pos` to the next packet boundary using `round_up()` function. However, if zero-length command is found exactly on a packet boundary (i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up` function will return the unchanged value of `pos`. This prevents `pos` to be increased, causing an infinite loop in the parsing logic. This patch fixes this in the function by using `pos + 1` instead. This ensures that even if `pos` is on a boundary, the calculation is based on `pos + 1`, forcing `round_up()` to always return the next aligned boundary.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/58343e0a4d43699f0…
	https://git.kernel.org/stable/c/69c7825df64e24dc1…
	https://git.kernel.org/stable/c/028e89c7e8b434630…
	https://git.kernel.org/stable/c/e9dd83a75a7274ede…
	https://git.kernel.org/stable/c/0897cea266e39166a…
	https://git.kernel.org/stable/c/bd8135a560cf6e64f…
	https://git.kernel.org/stable/c/0c73772cd2b8cc108…

Impacted products

Vendor

Product

Version

Linux

Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 58343e0a4d43699f0e2f5b169384bbe4c0217add (git)
Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 69c7825df64e24dc15d31631a1fc9145324b1345 (git)
Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 028e89c7e8b4346302e88df01cc50e0a1f05791a (git)
Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < e9dd83a75a7274edef21682c823bf0b66d7b6b7f (git)
Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 0897cea266e39166a36111059ba147192b36592f (git)
Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < bd8135a560cf6e64f0b98ed4daadf126a38f7f48 (git)
Affected: 7259124eac7d1b76b41c7a9cb2511a30556deebe , < 0c73772cd2b8cc108d5f5334de89ad648d89b9ec (git)

Linux

Affected: 4.19
Unaffected: 0 , < 4.19 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "58343e0a4d43699f0e2f5b169384bbe4c0217add",
              "status": "affected",
              "version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
              "versionType": "git"
            },
            {
              "lessThan": "69c7825df64e24dc15d31631a1fc9145324b1345",
              "status": "affected",
              "version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
              "versionType": "git"
            },
            {
              "lessThan": "028e89c7e8b4346302e88df01cc50e0a1f05791a",
              "status": "affected",
              "version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
              "versionType": "git"
            },
            {
              "lessThan": "e9dd83a75a7274edef21682c823bf0b66d7b6b7f",
              "status": "affected",
              "version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
              "versionType": "git"
            },
            {
              "lessThan": "0897cea266e39166a36111059ba147192b36592f",
              "status": "affected",
              "version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
              "versionType": "git"
            },
            {
              "lessThan": "bd8135a560cf6e64f0b98ed4daadf126a38f7f48",
              "status": "affected",
              "version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
              "versionType": "git"
            },
            {
              "lessThan": "0c73772cd2b8cc108d5f5334de89ad648d89b9ec",
              "status": "affected",
              "version": "7259124eac7d1b76b41c7a9cb2511a30556deebe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: kvaser_usb: leaf: Fix potential infinite loop in command parsers\n\nThe `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback`\nfunctions contain logic to zero-length commands. These commands are used\nto align data to the USB endpoint\u0027s wMaxPacketSize boundary.\n\nThe driver attempts to skip these placeholders by aligning the buffer\nposition `pos` to the next packet boundary using `round_up()` function.\n\nHowever, if zero-length command is found exactly on a packet boundary\n(i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up`\nfunction will return the unchanged value of `pos`. This prevents `pos`\nto be increased, causing an infinite loop in the parsing logic.\n\nThis patch fixes this in the function by using `pos + 1` instead.\nThis ensures that even if `pos` is on a boundary, the calculation is\nbased on `pos + 1`, forcing `round_up()` to always return the next\naligned boundary."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:25.081Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/58343e0a4d43699f0e2f5b169384bbe4c0217add"
        },
        {
          "url": "https://git.kernel.org/stable/c/69c7825df64e24dc15d31631a1fc9145324b1345"
        },
        {
          "url": "https://git.kernel.org/stable/c/028e89c7e8b4346302e88df01cc50e0a1f05791a"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9dd83a75a7274edef21682c823bf0b66d7b6b7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0897cea266e39166a36111059ba147192b36592f"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd8135a560cf6e64f0b98ed4daadf126a38f7f48"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c73772cd2b8cc108d5f5334de89ad648d89b9ec"
        }
      ],
      "title": "can: kvaser_usb: leaf: Fix potential infinite loop in command parsers",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68308",
    "datePublished": "2025-12-16T15:06:25.081Z",
    "dateReserved": "2025-12-16T14:48:05.294Z",
    "dateUpdated": "2025-12-16T15:06:25.081Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56658 (GCVE-0-2024-56658)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:06 – Updated: 2025-11-03 20:51

Title

net: defer final 'struct net' free in netns dismantle

Summary

In the Linux kernel, the following vulnerability has been resolved: net: defer final 'struct net' free in netns dismantle Ilya reported a slab-use-after-free in dst_destroy [1] Issue is in xfrm6_net_init() and xfrm4_net_init() : They copy xfrm[46]_dst_ops_template into net->xfrm.xfrm[46]_dst_ops. But net structure might be freed before all the dst callbacks are called. So when dst_destroy() calls later : if (dst->ops->destroy) dst->ops->destroy(dst); dst->ops points to the old net->xfrm.xfrm[46]_dst_ops, which has been freed. See a relevant issue fixed in : ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") A fix is to queue the 'struct net' to be freed after one another cleanup_net() round (and existing rcu_barrier()) [1] BUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112) Read of size 8 at addr ffff8882137ccab0 by task swapper/37/0 Dec 03 05:46:18 kernel: CPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67 Hardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:124) print_address_description.constprop.0 (mm/kasan/report.c:378) ? dst_destroy (net/core/dst.c:112) print_report (mm/kasan/report.c:489) ? dst_destroy (net/core/dst.c:112) ? kasan_addr_to_slab (mm/kasan/common.c:37) kasan_report (mm/kasan/report.c:603) ? dst_destroy (net/core/dst.c:112) ? rcu_do_batch (kernel/rcu/tree.c:2567) dst_destroy (net/core/dst.c:112) rcu_do_batch (kernel/rcu/tree.c:2567) ? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406) rcu_core (kernel/rcu/tree.c:2825) handle_softirqs (kernel/softirq.c:554) __irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637) irq_exit_rcu (kernel/softirq.c:651) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049) </IRQ> <TASK> asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702) RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743) Code: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 RSP: 0018:ffff888100d2fe00 EFLAGS: 00000246 RAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d R10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000 R13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000 ? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148) ? cpuidle_idle_call (kernel/sched/idle.c:186) default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118) cpuidle_idle_call (kernel/sched/idle.c:186) ? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168) ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848) ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406) ? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59) do_idle (kernel/sched/idle.c:326) cpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282) ? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232) ? soft_restart_cpu (arch/x86/kernel/head_64.S:452) common_startup_64 (arch/x86/kernel/head_64.S:414) </TASK> Dec 03 05:46:18 kernel: Allocated by task 12184: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141) copy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480) create_new_namespaces ---truncated---

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c261dcd61c9e88a8f…
	https://git.kernel.org/stable/c/dac465986a4a38cd2…
	https://git.kernel.org/stable/c/3267b254dc0a04dfa…
	https://git.kernel.org/stable/c/b7a79e51297f7b82a…
	https://git.kernel.org/stable/c/6610c7f8a8d47fd11…
	https://git.kernel.org/stable/c/0f6ede9fbc747e255…

Impacted products

Vendor

Product

Version

Linux

Affected: a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 , < c261dcd61c9e88a8f1a66654354d32295a975230 (git)
Affected: a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 , < dac465986a4a38cd2f13e934f562b6ca344e5720 (git)
Affected: a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 , < 3267b254dc0a04dfa362a2be24573cfa6d2d78f5 (git)
Affected: a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 , < b7a79e51297f7b82adb687086f5cb2da446f1e40 (git)
Affected: a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 , < 6610c7f8a8d47fd1123eed55ba8c11c2444d8842 (git)
Affected: a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8 , < 0f6ede9fbc747e2553612271bce108f7517e7a45 (git)
Affected: 3e29fa5b742479f73400468314a1c6b9cf553ee4 (git)
Affected: ce43f6a650a6689551a217276fb0dcca33790425 (git)
Affected: eeca98948d8c4922e6deb16bfc9ee0bd9902dbb0 (git)
Affected: 1bd631fc9a4515878c1bb7effd19335d2f2d87c2 (git)

Linux

Affected: 4.4
Unaffected: 0 , < 4.4 (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.121 , ≤ 6.1.* (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-56658",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-06T16:07:39.771240Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-06T16:14:32.574Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:51:59.582Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/net_namespace.h",
            "net/core/net_namespace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c261dcd61c9e88a8f1a66654354d32295a975230",
              "status": "affected",
              "version": "a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8",
              "versionType": "git"
            },
            {
              "lessThan": "dac465986a4a38cd2f13e934f562b6ca344e5720",
              "status": "affected",
              "version": "a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8",
              "versionType": "git"
            },
            {
              "lessThan": "3267b254dc0a04dfa362a2be24573cfa6d2d78f5",
              "status": "affected",
              "version": "a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8",
              "versionType": "git"
            },
            {
              "lessThan": "b7a79e51297f7b82adb687086f5cb2da446f1e40",
              "status": "affected",
              "version": "a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8",
              "versionType": "git"
            },
            {
              "lessThan": "6610c7f8a8d47fd1123eed55ba8c11c2444d8842",
              "status": "affected",
              "version": "a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8",
              "versionType": "git"
            },
            {
              "lessThan": "0f6ede9fbc747e2553612271bce108f7517e7a45",
              "status": "affected",
              "version": "a8a572a6b5f2a79280d6e302cb3c1cb1fbaeb3e8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3e29fa5b742479f73400468314a1c6b9cf553ee4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ce43f6a650a6689551a217276fb0dcca33790425",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "eeca98948d8c4922e6deb16bfc9ee0bd9902dbb0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1bd631fc9a4515878c1bb7effd19335d2f2d87c2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/net_namespace.h",
            "net/core/net_namespace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.4"
            },
            {
              "lessThan": "4.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.67",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.121",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.67",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.6",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.18.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.1.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: defer final \u0027struct net\u0027 free in netns dismantle\n\nIlya reported a slab-use-after-free in dst_destroy [1]\n\nIssue is in xfrm6_net_init() and xfrm4_net_init() :\n\nThey copy xfrm[46]_dst_ops_template into net-\u003exfrm.xfrm[46]_dst_ops.\n\nBut net structure might be freed before all the dst callbacks are\ncalled. So when dst_destroy() calls later :\n\nif (dst-\u003eops-\u003edestroy)\n    dst-\u003eops-\u003edestroy(dst);\n\ndst-\u003eops points to the old net-\u003exfrm.xfrm[46]_dst_ops, which has been freed.\n\nSee a relevant issue fixed in :\n\nac888d58869b (\"net: do not delay dst_entries_add() in dst_release()\")\n\nA fix is to queue the \u0027struct net\u0027 to be freed after one\nanother cleanup_net() round (and existing rcu_barrier())\n\n[1]\n\nBUG: KASAN: slab-use-after-free in dst_destroy (net/core/dst.c:112)\nRead of size 8 at addr ffff8882137ccab0 by task swapper/37/0\nDec 03 05:46:18 kernel:\nCPU: 37 UID: 0 PID: 0 Comm: swapper/37 Kdump: loaded Not tainted 6.12.0 #67\nHardware name: Red Hat KVM/RHEL, BIOS 1.16.1-1.el9 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\ndump_stack_lvl (lib/dump_stack.c:124)\nprint_address_description.constprop.0 (mm/kasan/report.c:378)\n? dst_destroy (net/core/dst.c:112)\nprint_report (mm/kasan/report.c:489)\n? dst_destroy (net/core/dst.c:112)\n? kasan_addr_to_slab (mm/kasan/common.c:37)\nkasan_report (mm/kasan/report.c:603)\n? dst_destroy (net/core/dst.c:112)\n? rcu_do_batch (kernel/rcu/tree.c:2567)\ndst_destroy (net/core/dst.c:112)\nrcu_do_batch (kernel/rcu/tree.c:2567)\n? __pfx_rcu_do_batch (kernel/rcu/tree.c:2491)\n? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4339 kernel/locking/lockdep.c:4406)\nrcu_core (kernel/rcu/tree.c:2825)\nhandle_softirqs (kernel/softirq.c:554)\n__irq_exit_rcu (kernel/softirq.c:589 kernel/softirq.c:428 kernel/softirq.c:637)\nirq_exit_rcu (kernel/softirq.c:651)\nsysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1049 arch/x86/kernel/apic/apic.c:1049)\n \u003c/IRQ\u003e\n \u003cTASK\u003e\nasm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)\nRIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:743)\nCode: 00 4d 29 c8 4c 01 c7 4c 29 c2 e9 6e ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 0f 00 2d c7 c9 27 00 fb f4 \u003cfa\u003e c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90\nRSP: 0018:ffff888100d2fe00 EFLAGS: 00000246\nRAX: 00000000001870ed RBX: 1ffff110201a5fc2 RCX: ffffffffb61a3e46\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffb3d4d123\nRBP: 0000000000000000 R08: 0000000000000001 R09: ffffed11c7e1835d\nR10: ffff888e3f0c1aeb R11: 0000000000000000 R12: 0000000000000000\nR13: ffff888100d20000 R14: dffffc0000000000 R15: 0000000000000000\n? ct_kernel_exit.constprop.0 (kernel/context_tracking.c:148)\n? cpuidle_idle_call (kernel/sched/idle.c:186)\ndefault_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118)\ncpuidle_idle_call (kernel/sched/idle.c:186)\n? __pfx_cpuidle_idle_call (kernel/sched/idle.c:168)\n? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848)\n? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)\n? tsc_verify_tsc_adjust (arch/x86/kernel/tsc_sync.c:59)\ndo_idle (kernel/sched/idle.c:326)\ncpu_startup_entry (kernel/sched/idle.c:423 (discriminator 1))\nstart_secondary (arch/x86/kernel/smpboot.c:202 arch/x86/kernel/smpboot.c:282)\n? __pfx_start_secondary (arch/x86/kernel/smpboot.c:232)\n? soft_restart_cpu (arch/x86/kernel/head_64.S:452)\ncommon_startup_64 (arch/x86/kernel/head_64.S:414)\n \u003c/TASK\u003e\nDec 03 05:46:18 kernel:\nAllocated by task 12184:\nkasan_save_stack (mm/kasan/common.c:48)\nkasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)\n__kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\nkmem_cache_alloc_noprof (mm/slub.c:4085 mm/slub.c:4134 mm/slub.c:4141)\ncopy_net_ns (net/core/net_namespace.c:421 net/core/net_namespace.c:480)\ncreate_new_namespaces\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:04.087Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c261dcd61c9e88a8f1a66654354d32295a975230"
        },
        {
          "url": "https://git.kernel.org/stable/c/dac465986a4a38cd2f13e934f562b6ca344e5720"
        },
        {
          "url": "https://git.kernel.org/stable/c/3267b254dc0a04dfa362a2be24573cfa6d2d78f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7a79e51297f7b82adb687086f5cb2da446f1e40"
        },
        {
          "url": "https://git.kernel.org/stable/c/6610c7f8a8d47fd1123eed55ba8c11c2444d8842"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f6ede9fbc747e2553612271bce108f7517e7a45"
        }
      ],
      "title": "net: defer final \u0027struct net\u0027 free in netns dismantle",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-56658",
    "datePublished": "2024-12-27T15:06:21.516Z",
    "dateReserved": "2024-12-27T15:00:39.841Z",
    "dateUpdated": "2025-11-03T20:51:59.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50678 (GCVE-0-2022-50678)

Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-23 13:30

Title

wifi: brcmfmac: fix invalid address access when enabling SCAN log level

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix invalid address access when enabling SCAN log level The variable i is changed when setting random MAC address and causes invalid address access when printing the value of pi->reqs[i]->reqid. We replace reqs index with ri to fix the issue. [ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ 136.737365] Mem abort info: [ 136.740172] ESR = 0x96000004 [ 136.743359] Exception class = DABT (current EL), IL = 32 bits [ 136.749294] SET = 0, FnV = 0 [ 136.752481] EA = 0, S1PTW = 0 [ 136.755635] Data abort info: [ 136.758514] ISV = 0, ISS = 0x00000004 [ 136.762487] CM = 0, WnR = 0 [ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577 [ 136.772265] [0000000000000000] pgd=0000000000000000 [ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O) [ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb) [ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1 [ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT) [ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO) [ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac] [ 136.828162] sp : ffff00000e9a3880 [ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400 [ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0 [ 136.842098] x25: ffff80002054345c x24: ffff800088d22400 [ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8 [ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400 [ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000 [ 136.863343] x17: 0000000000000000 x16: 0000000000000000 [ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050 [ 136.873966] x13: 0000000000003135 x12: 0000000000000000 [ 136.879277] x11: 0000000000000000 x10: ffff000009a61888 [ 136.884589] x9 : 000000000000000f x8 : 0000000000000008 [ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d [ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942 [ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8 [ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000 [ 136.911146] Call trace: [ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] [ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac] [ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac] [ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211] [ 136.937298] genl_rcv_msg+0x358/0x3f4 [ 136.940960] netlink_rcv_skb+0xb4/0x118 [ 136.944795] genl_rcv+0x34/0x48 [ 136.947935] netlink_unicast+0x264/0x300 [ 136.951856] netlink_sendmsg+0x2e4/0x33c [ 136.955781] __sys_sendto+0x120/0x19c

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7ccb0529446ae68a8…
	https://git.kernel.org/stable/c/1c12d47a9017a7745…
	https://git.kernel.org/stable/c/56a0ac48634155d2b…
	https://git.kernel.org/stable/c/50e45034c5802cedb…
	https://git.kernel.org/stable/c/75995ce1c926ee87b…
	https://git.kernel.org/stable/c/4d4dcfa6b4e85a878…
	https://git.kernel.org/stable/c/826405a911473b6ee…
	https://git.kernel.org/stable/c/aa666b68e73fc06d8…

Impacted products

Vendor

Product

Version

Linux

Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 7ccb0529446ae68a8581916bfc95c353306d76ba (git)
Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 1c12d47a9017a7745585b57b9b0fdc0d8c50978e (git)
Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 56a0ac48634155d2b866b99fba7e1dd8df4e2804 (git)
Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 50e45034c5802cedbf5b707364ea76ace29ad984 (git)
Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 75995ce1c926ee87bf93d58977c766b4e7744715 (git)
Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4 (git)
Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < 826405a911473b6ee8bd2aa891cb2f03a13efa17 (git)
Affected: efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 , < aa666b68e73fc06d83c070d96180b9010cf5a960 (git)

Linux

Affected: 4.13
Unaffected: 0 , < 4.13 (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7ccb0529446ae68a8581916bfc95c353306d76ba",
              "status": "affected",
              "version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
              "versionType": "git"
            },
            {
              "lessThan": "1c12d47a9017a7745585b57b9b0fdc0d8c50978e",
              "status": "affected",
              "version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
              "versionType": "git"
            },
            {
              "lessThan": "56a0ac48634155d2b866b99fba7e1dd8df4e2804",
              "status": "affected",
              "version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
              "versionType": "git"
            },
            {
              "lessThan": "50e45034c5802cedbf5b707364ea76ace29ad984",
              "status": "affected",
              "version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
              "versionType": "git"
            },
            {
              "lessThan": "75995ce1c926ee87bf93d58977c766b4e7744715",
              "status": "affected",
              "version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
              "versionType": "git"
            },
            {
              "lessThan": "4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4",
              "status": "affected",
              "version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
              "versionType": "git"
            },
            {
              "lessThan": "826405a911473b6ee8bd2aa891cb2f03a13efa17",
              "status": "affected",
              "version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
              "versionType": "git"
            },
            {
              "lessThan": "aa666b68e73fc06d83c070d96180b9010cf5a960",
              "status": "affected",
              "version": "efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: fix invalid address access when enabling SCAN log level\n\nThe variable i is changed when setting random MAC address and causes\ninvalid address access when printing the value of pi-\u003ereqs[i]-\u003ereqid.\n\nWe replace reqs index with ri to fix the issue.\n\n[  136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000\n[  136.737365] Mem abort info:\n[  136.740172]   ESR = 0x96000004\n[  136.743359]   Exception class = DABT (current EL), IL = 32 bits\n[  136.749294]   SET = 0, FnV = 0\n[  136.752481]   EA = 0, S1PTW = 0\n[  136.755635] Data abort info:\n[  136.758514]   ISV = 0, ISS = 0x00000004\n[  136.762487]   CM = 0, WnR = 0\n[  136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577\n[  136.772265] [0000000000000000] pgd=0000000000000000\n[  136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP\n[  136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O)\n[  136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb)\n[  136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G           O      4.19.42-00001-g531a5f5 #1\n[  136.805532] Hardware name: Freescale i.MX8MQ EVK (DT)\n[  136.810584] pstate: 60400005 (nZCv daif +PAN -UAO)\n[  136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]\n[  136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac]\n[  136.828162] sp : ffff00000e9a3880\n[  136.831475] x29: ffff00000e9a3890 x28: ffff800020543400\n[  136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0\n[  136.842098] x25: ffff80002054345c x24: ffff800088d22400\n[  136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8\n[  136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400\n[  136.858032] x19: ffff00000e9a3946 x18: 0000000000000000\n[  136.863343] x17: 0000000000000000 x16: 0000000000000000\n[  136.868655] x15: ffff0000093f3b37 x14: 0000000000000050\n[  136.873966] x13: 0000000000003135 x12: 0000000000000000\n[  136.879277] x11: 0000000000000000 x10: ffff000009a61888\n[  136.884589] x9 : 000000000000000f x8 : 0000000000000008\n[  136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d\n[  136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942\n[  136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8\n[  136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000\n[  136.911146] Call trace:\n[  136.913623]  brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac]\n[  136.919658]  brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac]\n[  136.925430]  brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac]\n[  136.931636]  nl80211_start_sched_scan+0x140/0x308 [cfg80211]\n[  136.937298]  genl_rcv_msg+0x358/0x3f4\n[  136.940960]  netlink_rcv_skb+0xb4/0x118\n[  136.944795]  genl_rcv+0x34/0x48\n[  136.947935]  netlink_unicast+0x264/0x300\n[  136.951856]  netlink_sendmsg+0x2e4/0x33c\n[  136.955781]  __sys_sendto+0x120/0x19c"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:30:31.837Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7ccb0529446ae68a8581916bfc95c353306d76ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c12d47a9017a7745585b57b9b0fdc0d8c50978e"
        },
        {
          "url": "https://git.kernel.org/stable/c/56a0ac48634155d2b866b99fba7e1dd8df4e2804"
        },
        {
          "url": "https://git.kernel.org/stable/c/50e45034c5802cedbf5b707364ea76ace29ad984"
        },
        {
          "url": "https://git.kernel.org/stable/c/75995ce1c926ee87bf93d58977c766b4e7744715"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d4dcfa6b4e85a878401f4fbae4cafc88cdcceb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/826405a911473b6ee8bd2aa891cb2f03a13efa17"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa666b68e73fc06d83c070d96180b9010cf5a960"
        }
      ],
      "title": "wifi: brcmfmac: fix invalid address access when enabling SCAN log level",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50678",
    "datePublished": "2025-12-09T01:29:31.739Z",
    "dateReserved": "2025-12-09T01:26:45.991Z",
    "dateUpdated": "2025-12-23T13:30:31.837Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50870 (GCVE-0-2022-50870)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2026-01-02 15:05

Title

powerpc/rtas: avoid device tree lookups in rtas_os_term()

Summary

In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: avoid device tree lookups in rtas_os_term() rtas_os_term() is called during panic. Its behavior depends on a couple of conditions in the /rtas node of the device tree, the traversal of which entails locking and local IRQ state changes. If the kernel panics while devtree_lock is held, rtas_os_term() as currently written could hang. Instead of discovering the relevant characteristics at panic time, cache them in file-static variables at boot. Note the lookup for "ibm,extended-os-term" is converted to of_property_read_bool() since it is a boolean property, not an RTAS function token. [mpe: Incorporate suggested change from Nick]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e23822c7381c59d9e…
	https://git.kernel.org/stable/c/06a07fbb32b3a23ee…
	https://git.kernel.org/stable/c/c2fa91abf22a705cf…
	https://git.kernel.org/stable/c/f2167f10fcca68ab9…
	https://git.kernel.org/stable/c/d8939315b7342860d…
	https://git.kernel.org/stable/c/698e682c849e356fb…
	https://git.kernel.org/stable/c/464d10e8d797454e1…
	https://git.kernel.org/stable/c/ed2213bfb192ab51f…

Impacted products

Vendor

Product

Version

Linux

Affected: 088186ded490ced80758200cf8f906ed741df306 , < e23822c7381c59d9e42e65771b6e17c71ed30ea7 (git)
Affected: 088186ded490ced80758200cf8f906ed741df306 , < 06a07fbb32b3a23eec20a42b1e64474da0a3b33e (git)
Affected: 088186ded490ced80758200cf8f906ed741df306 , < c2fa91abf22a705cf02f886cd99cff41f4ceda60 (git)
Affected: 088186ded490ced80758200cf8f906ed741df306 , < f2167f10fcca68ab9ae3f8d94d2c704c5541ac69 (git)
Affected: 088186ded490ced80758200cf8f906ed741df306 , < d8939315b7342860df143afe0adda6212cdd3193 (git)
Affected: 088186ded490ced80758200cf8f906ed741df306 , < 698e682c849e356fb47a8be47ca8baa817cf31e0 (git)
Affected: 088186ded490ced80758200cf8f906ed741df306 , < 464d10e8d797454e16a173ef1292a446b2adf21c (git)
Affected: 088186ded490ced80758200cf8f906ed741df306 , < ed2213bfb192ab51f09f12e9b49b5d482c6493f3 (git)

Linux

Affected: 2.6.16
Unaffected: 0 , < 2.6.16 (semver)
Unaffected: 4.14.303 , ≤ 4.14.* (semver)
Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.87 , ≤ 5.15.* (semver)
Unaffected: 6.0.17 , ≤ 6.0.* (semver)
Unaffected: 6.1.3 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/kernel/rtas.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e23822c7381c59d9e42e65771b6e17c71ed30ea7",
              "status": "affected",
              "version": "088186ded490ced80758200cf8f906ed741df306",
              "versionType": "git"
            },
            {
              "lessThan": "06a07fbb32b3a23eec20a42b1e64474da0a3b33e",
              "status": "affected",
              "version": "088186ded490ced80758200cf8f906ed741df306",
              "versionType": "git"
            },
            {
              "lessThan": "c2fa91abf22a705cf02f886cd99cff41f4ceda60",
              "status": "affected",
              "version": "088186ded490ced80758200cf8f906ed741df306",
              "versionType": "git"
            },
            {
              "lessThan": "f2167f10fcca68ab9ae3f8d94d2c704c5541ac69",
              "status": "affected",
              "version": "088186ded490ced80758200cf8f906ed741df306",
              "versionType": "git"
            },
            {
              "lessThan": "d8939315b7342860df143afe0adda6212cdd3193",
              "status": "affected",
              "version": "088186ded490ced80758200cf8f906ed741df306",
              "versionType": "git"
            },
            {
              "lessThan": "698e682c849e356fb47a8be47ca8baa817cf31e0",
              "status": "affected",
              "version": "088186ded490ced80758200cf8f906ed741df306",
              "versionType": "git"
            },
            {
              "lessThan": "464d10e8d797454e16a173ef1292a446b2adf21c",
              "status": "affected",
              "version": "088186ded490ced80758200cf8f906ed741df306",
              "versionType": "git"
            },
            {
              "lessThan": "ed2213bfb192ab51f09f12e9b49b5d482c6493f3",
              "status": "affected",
              "version": "088186ded490ced80758200cf8f906ed741df306",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/kernel/rtas.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.16"
            },
            {
              "lessThan": "2.6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.303",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.303",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.17",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.3",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "2.6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/rtas: avoid device tree lookups in rtas_os_term()\n\nrtas_os_term() is called during panic. Its behavior depends on a couple\nof conditions in the /rtas node of the device tree, the traversal of\nwhich entails locking and local IRQ state changes. If the kernel panics\nwhile devtree_lock is held, rtas_os_term() as currently written could\nhang.\n\nInstead of discovering the relevant characteristics at panic time,\ncache them in file-static variables at boot. Note the lookup for\n\"ibm,extended-os-term\" is converted to of_property_read_bool() since it\nis a boolean property, not an RTAS function token.\n\n[mpe: Incorporate suggested change from Nick]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:05:07.299Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e23822c7381c59d9e42e65771b6e17c71ed30ea7"
        },
        {
          "url": "https://git.kernel.org/stable/c/06a07fbb32b3a23eec20a42b1e64474da0a3b33e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2fa91abf22a705cf02f886cd99cff41f4ceda60"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2167f10fcca68ab9ae3f8d94d2c704c5541ac69"
        },
        {
          "url": "https://git.kernel.org/stable/c/d8939315b7342860df143afe0adda6212cdd3193"
        },
        {
          "url": "https://git.kernel.org/stable/c/698e682c849e356fb47a8be47ca8baa817cf31e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/464d10e8d797454e16a173ef1292a446b2adf21c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed2213bfb192ab51f09f12e9b49b5d482c6493f3"
        }
      ],
      "title": "powerpc/rtas: avoid device tree lookups in rtas_os_term()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50870",
    "datePublished": "2025-12-30T12:15:40.718Z",
    "dateReserved": "2025-12-30T12:06:07.136Z",
    "dateUpdated": "2026-01-02T15:05:07.299Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40301 (GCVE-0-2025-40301)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

Bluetooth: hci_event: validate skb length for unknown CC opcode

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fea895de78d3bb2f0…
	https://git.kernel.org/stable/c/779f83a91d4f1bf5d…
	https://git.kernel.org/stable/c/cf2c2acec1cf456c3…
	https://git.kernel.org/stable/c/1a0ddaaf97405dbd1…
	https://git.kernel.org/stable/c/5c5f1f64681cc889d…

Impacted products

Vendor

Product

Version

Linux

Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < fea895de78d3bb2f0c09db9f10b18f8121b15759 (git)
Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < 779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8 (git)
Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < cf2c2acec1cf456c3d11c11a7589e886a0f963a9 (git)
Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < 1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50 (git)
Affected: afcb3369f46ed5dc883a7b92f2dd1e264d79d388 , < 5c5f1f64681cc889d9b13e4a61285e9e029d6ab5 (git)

Linux

Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fea895de78d3bb2f0c09db9f10b18f8121b15759",
              "status": "affected",
              "version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
              "versionType": "git"
            },
            {
              "lessThan": "779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8",
              "status": "affected",
              "version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
              "versionType": "git"
            },
            {
              "lessThan": "cf2c2acec1cf456c3d11c11a7589e886a0f963a9",
              "status": "affected",
              "version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
              "versionType": "git"
            },
            {
              "lessThan": "1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50",
              "status": "affected",
              "version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
              "versionType": "git"
            },
            {
              "lessThan": "5c5f1f64681cc889d9b13e4a61285e9e029d6ab5",
              "status": "affected",
              "version": "afcb3369f46ed5dc883a7b92f2dd1e264d79d388",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: validate skb length for unknown CC opcode\n\nIn hci_cmd_complete_evt(), if the command complete event has an unknown\nopcode, we assume the first byte of the remaining skb-\u003edata contains the\nreturn status. However, parameter data has previously been pulled in\nhci_event_func(), which may leave the skb empty. If so, using skb-\u003edata[0]\nfor the return status uses un-init memory.\n\nThe fix is to check skb-\u003elen before using skb-\u003edata."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:24.863Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fea895de78d3bb2f0c09db9f10b18f8121b15759"
        },
        {
          "url": "https://git.kernel.org/stable/c/779f83a91d4f1bf5ddfeaf528420cbb6dbf03fa8"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf2c2acec1cf456c3d11c11a7589e886a0f963a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a0ddaaf97405dbd11d4cb5a961a3f82400e8a50"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c5f1f64681cc889d9b13e4a61285e9e029d6ab5"
        }
      ],
      "title": "Bluetooth: hci_event: validate skb length for unknown CC opcode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40301",
    "datePublished": "2025-12-08T00:46:24.863Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2025-12-08T00:46:24.863Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40319 (GCVE-0-2025-40319)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

bpf: Sync pending IRQ work before freeing ring buffer

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/47626748a2a00068d…
	https://git.kernel.org/stable/c/de2ce6b14bc3e5657…
	https://git.kernel.org/stable/c/e1828c7a8d8135e21…
	https://git.kernel.org/stable/c/6451141103547f4ef…
	https://git.kernel.org/stable/c/10ca3b2eec384628b…
	https://git.kernel.org/stable/c/430e15544f11f8de2…
	https://git.kernel.org/stable/c/4e9077638301816a7…

Impacted products

Vendor

Product

Version

Linux

Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 47626748a2a00068dbbd5836d19076637b4e235b (git)
Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < de2ce6b14bc3e565708a39bdba3ef9162aeffc72 (git)
Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < e1828c7a8d8135e21ff6adaaa9458c32aae13b11 (git)
Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 6451141103547f4efd774e912418a3b4318046c6 (git)
Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 10ca3b2eec384628bc9f5d8190aed9427ad2dde6 (git)
Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 430e15544f11f8de26b2b5109c7152f71b78295e (git)
Affected: 457f44363a8894135c85b7a9afd2bd8196db24ab , < 4e9077638301816a7d73fa1e1b4c1db4a7e3b59c (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/ringbuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "47626748a2a00068dbbd5836d19076637b4e235b",
              "status": "affected",
              "version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
              "versionType": "git"
            },
            {
              "lessThan": "de2ce6b14bc3e565708a39bdba3ef9162aeffc72",
              "status": "affected",
              "version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
              "versionType": "git"
            },
            {
              "lessThan": "e1828c7a8d8135e21ff6adaaa9458c32aae13b11",
              "status": "affected",
              "version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
              "versionType": "git"
            },
            {
              "lessThan": "6451141103547f4efd774e912418a3b4318046c6",
              "status": "affected",
              "version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
              "versionType": "git"
            },
            {
              "lessThan": "10ca3b2eec384628bc9f5d8190aed9427ad2dde6",
              "status": "affected",
              "version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
              "versionType": "git"
            },
            {
              "lessThan": "430e15544f11f8de26b2b5109c7152f71b78295e",
              "status": "affected",
              "version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
              "versionType": "git"
            },
            {
              "lessThan": "4e9077638301816a7d73fa1e1b4c1db4a7e3b59c",
              "status": "affected",
              "version": "457f44363a8894135c85b7a9afd2bd8196db24ab",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/ringbuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Sync pending IRQ work before freeing ring buffer\n\nFix a race where irq_work can be queued in bpf_ringbuf_commit()\nbut the ring buffer is freed before the work executes.\nIn the syzbot reproducer, a BPF program attached to sched_switch\ntriggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer\nis freed before this work executes, the irq_work thread may accesses\nfreed memory.\nCalling `irq_work_sync(\u0026rb-\u003ework)` ensures that all pending irq_work\ncomplete before freeing the buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:46.448Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/47626748a2a00068dbbd5836d19076637b4e235b"
        },
        {
          "url": "https://git.kernel.org/stable/c/de2ce6b14bc3e565708a39bdba3ef9162aeffc72"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1828c7a8d8135e21ff6adaaa9458c32aae13b11"
        },
        {
          "url": "https://git.kernel.org/stable/c/6451141103547f4efd774e912418a3b4318046c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/10ca3b2eec384628bc9f5d8190aed9427ad2dde6"
        },
        {
          "url": "https://git.kernel.org/stable/c/430e15544f11f8de26b2b5109c7152f71b78295e"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e9077638301816a7d73fa1e1b4c1db4a7e3b59c"
        }
      ],
      "title": "bpf: Sync pending IRQ work before freeing ring buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40319",
    "datePublished": "2025-12-08T00:46:46.448Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2025-12-08T00:46:46.448Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40344 (GCVE-0-2025-40344)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:10 – Updated: 2025-12-09 04:10

Title

ASoC: Intel: avs: Disable periods-elapsed work when closing PCM

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Disable periods-elapsed work when closing PCM avs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio stream while period-elapsed work services its IRQs. As the former frees the DAI's private context, these two operations shall be synchronized to avoid slab-use-after-free or worse errors.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ca6d2b7aca778afbf…
	https://git.kernel.org/stable/c/b41fca4aa60be896b…
	https://git.kernel.org/stable/c/845f716dc5f354c71…

Impacted products

Vendor

Product

Version

Linux

Affected: 0dbb186c3510cad4e9f443e801bf2e6ab5770c00 , < ca6d2b7aca778afbf8c0c4b330d10cb228c14052 (git)
Affected: 0dbb186c3510cad4e9f443e801bf2e6ab5770c00 , < b41fca4aa60be896ba8a81b57aac5dcc6eee66c0 (git)
Affected: 0dbb186c3510cad4e9f443e801bf2e6ab5770c00 , < 845f716dc5f354c719f6fda35048b6c2eca99331 (git)
Affected: 31087af37d6b1586b76d4acf3e0c1634a4617ba6 (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/intel/avs/pcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca6d2b7aca778afbf8c0c4b330d10cb228c14052",
              "status": "affected",
              "version": "0dbb186c3510cad4e9f443e801bf2e6ab5770c00",
              "versionType": "git"
            },
            {
              "lessThan": "b41fca4aa60be896ba8a81b57aac5dcc6eee66c0",
              "status": "affected",
              "version": "0dbb186c3510cad4e9f443e801bf2e6ab5770c00",
              "versionType": "git"
            },
            {
              "lessThan": "845f716dc5f354c719f6fda35048b6c2eca99331",
              "status": "affected",
              "version": "0dbb186c3510cad4e9f443e801bf2e6ab5770c00",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "31087af37d6b1586b76d4acf3e0c1634a4617ba6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/intel/avs/pcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.11.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Disable periods-elapsed work when closing PCM\n\navs_dai_fe_shutdown() handles the shutdown procedure for HOST HDAudio\nstream while period-elapsed work services its IRQs. As the former\nfrees the DAI\u0027s private context, these two operations shall be\nsynchronized to avoid slab-use-after-free or worse errors."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T04:10:03.253Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca6d2b7aca778afbf8c0c4b330d10cb228c14052"
        },
        {
          "url": "https://git.kernel.org/stable/c/b41fca4aa60be896ba8a81b57aac5dcc6eee66c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/845f716dc5f354c719f6fda35048b6c2eca99331"
        }
      ],
      "title": "ASoC: Intel: avs: Disable periods-elapsed work when closing PCM",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40344",
    "datePublished": "2025-12-09T04:10:03.253Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-09T04:10:03.253Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40288 (GCVE-0-2025-40288)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-20 08:51

Title

drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs—since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately—skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e70113b741ba25388…
	https://git.kernel.org/stable/c/1243e396148a65bb6…
	https://git.kernel.org/stable/c/43aa61c18a3a45042…
	https://git.kernel.org/stable/c/070bdce18fb12a49e…
	https://git.kernel.org/stable/c/883f309add5506023…

Impacted products

Vendor

Product

Version

Linux

Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < e70113b741ba253886cd71dbadfe3ea444bb2f5c (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 1243e396148a65bb6c42a2b70fe43e50c16c494f (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 43aa61c18a3a45042b098b7a1186ffb29364002c (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 070bdce18fb12a49eb9c421e57df17d2ad29bf5f (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 883f309add55060233bf11c1ea6947140372920f (git)

Linux

Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e70113b741ba253886cd71dbadfe3ea444bb2f5c",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "1243e396148a65bb6c42a2b70fe43e50c16c494f",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "43aa61c18a3a45042b098b7a1186ffb29364002c",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "070bdce18fb12a49eb9c421e57df17d2ad29bf5f",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "883f309add55060233bf11c1ea6947140372920f",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices\n\nPreviously, APU platforms (and other scenarios with uninitialized VRAM managers)\ntriggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root\ncause is not that the `struct ttm_resource_manager *man` pointer itself is NULL,\nbut that `man-\u003ebdev` (the backing device pointer within the manager) remains\nuninitialized (NULL) on APUs\u2014since APUs lack dedicated VRAM and do not fully\nset up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to\nacquire `man-\u003ebdev-\u003elru_lock`, it dereferences the NULL `man-\u003ebdev`, leading to\na kernel OOPS.\n\n1. **amdgpu_cs.c**: Extend the existing bandwidth control check in\n   `amdgpu_cs_get_threshold_for_moves()` to include a check for\n   `ttm_resource_manager_used()`. If the manager is not used (uninitialized\n   `bdev`), return 0 for migration thresholds immediately\u2014skipping VRAM-specific\n   logic that would trigger the NULL dereference.\n\n2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info\n   reporting to use a conditional: if the manager is used, return the real VRAM\n   usage; otherwise, return 0. This avoids accessing `man-\u003ebdev` when it is\n   NULL.\n\n3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function)\n   data write path. Use `ttm_resource_manager_used()` to check validity: if the\n   manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set\n   `fb_usage` to 0 (APUs have no discrete framebuffer to report).\n\nThis approach is more robust than APU-specific checks because it:\n- Works for all scenarios where the VRAM manager is uninitialized (not just APUs),\n- Aligns with TTM\u0027s design by using its native helper function,\n- Preserves correct behavior for discrete GPUs (which have fully initialized\n  `man-\u003ebdev` and pass the `ttm_resource_manager_used()` check).\n\nv4: use ttm_resource_manager_used(\u0026adev-\u003emman.vram_mgr.manager) instead of checking the adev-\u003egmc.is_app_apu flag (Christian)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:51:55.021Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e70113b741ba253886cd71dbadfe3ea444bb2f5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/1243e396148a65bb6c42a2b70fe43e50c16c494f"
        },
        {
          "url": "https://git.kernel.org/stable/c/43aa61c18a3a45042b098b7a1186ffb29364002c"
        },
        {
          "url": "https://git.kernel.org/stable/c/070bdce18fb12a49eb9c421e57df17d2ad29bf5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/883f309add55060233bf11c1ea6947140372920f"
        }
      ],
      "title": "drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40288",
    "datePublished": "2025-12-06T21:51:14.440Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-20T08:51:55.021Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40211 (GCVE-0-2025-40211)

Vulnerability from cvelistv5 – Published: 2025-11-21 10:21 – Updated: 2025-12-06 21:38

Title

ACPI: video: Fix use-after-free in acpi_video_switch_brightness()

Summary

In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3f803ccf5a0c043e7…
	https://git.kernel.org/stable/c/ba1704316492a0496…
	https://git.kernel.org/stable/c/bc78a4f51d548c1cc…
	https://git.kernel.org/stable/c/a63a5b6fb508d78fe…
	https://git.kernel.org/stable/c/4e85246ec0d019dfb…
	https://git.kernel.org/stable/c/de5fc93275a4a459f…
	https://git.kernel.org/stable/c/293125536ef552132…
	https://git.kernel.org/stable/c/8f067aa5943026638…

Impacted products

Vendor

Product

Version

Linux

Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 3f803ccf5a0c043e7c8b83f6665b082401fc8bee (git)
Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < ba1704316492a0496c69334338ea1fdbf4c2fd34 (git)
Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < bc78a4f51d548c1ccc3d1967c2b394bf687c86e9 (git)
Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9 (git)
Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 4e85246ec0d019dfba86ba54d841ef6694f97149 (git)
Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < de5fc93275a4a459fe2f7cb746984f2ab3e8292a (git)
Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 293125536ef5521328815fa7c76d5f9eb1635659 (git)
Affected: 8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 , < 8f067aa59430266386b83c18b983ca583faa6a11 (git)

Linux

Affected: 3.17
Unaffected: 0 , < 3.17 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpi_video.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3f803ccf5a0c043e7c8b83f6665b082401fc8bee",
              "status": "affected",
              "version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
              "versionType": "git"
            },
            {
              "lessThan": "ba1704316492a0496c69334338ea1fdbf4c2fd34",
              "status": "affected",
              "version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
              "versionType": "git"
            },
            {
              "lessThan": "bc78a4f51d548c1ccc3d1967c2b394bf687c86e9",
              "status": "affected",
              "version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
              "versionType": "git"
            },
            {
              "lessThan": "a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9",
              "status": "affected",
              "version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
              "versionType": "git"
            },
            {
              "lessThan": "4e85246ec0d019dfba86ba54d841ef6694f97149",
              "status": "affected",
              "version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
              "versionType": "git"
            },
            {
              "lessThan": "de5fc93275a4a459fe2f7cb746984f2ab3e8292a",
              "status": "affected",
              "version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
              "versionType": "git"
            },
            {
              "lessThan": "293125536ef5521328815fa7c76d5f9eb1635659",
              "status": "affected",
              "version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
              "versionType": "git"
            },
            {
              "lessThan": "8f067aa59430266386b83c18b983ca583faa6a11",
              "status": "affected",
              "version": "8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/acpi_video.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: Fix use-after-free in acpi_video_switch_brightness()\n\nThe switch_brightness_work delayed work accesses device-\u003ebrightness\nand device-\u003ebacklight, freed by acpi_video_dev_unregister_backlight()\nduring device removal.\n\nIf the work executes after acpi_video_bus_unregister_backlight()\nfrees these resources, it causes a use-after-free when\nacpi_video_switch_brightness() dereferences device-\u003ebrightness or\ndevice-\u003ebacklight.\n\nFix this by calling cancel_delayed_work_sync() for each device\u0027s\nswitch_brightness_work in acpi_video_bus_remove_notify_handler()\nafter removing the notify handler that queues the work. This ensures\nthe work completes before the memory is freed.\n\n[ rjw: Changelog edit ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:38:42.455Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3f803ccf5a0c043e7c8b83f6665b082401fc8bee"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba1704316492a0496c69334338ea1fdbf4c2fd34"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc78a4f51d548c1ccc3d1967c2b394bf687c86e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/a63a5b6fb508d78fe57ae3b159d9ef3af7ba80e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e85246ec0d019dfba86ba54d841ef6694f97149"
        },
        {
          "url": "https://git.kernel.org/stable/c/de5fc93275a4a459fe2f7cb746984f2ab3e8292a"
        },
        {
          "url": "https://git.kernel.org/stable/c/293125536ef5521328815fa7c76d5f9eb1635659"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f067aa59430266386b83c18b983ca583faa6a11"
        }
      ],
      "title": "ACPI: video: Fix use-after-free in acpi_video_switch_brightness()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40211",
    "datePublished": "2025-11-21T10:21:36.438Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2025-12-06T21:38:42.455Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68209 (GCVE-0-2025-68209)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48

Title

mlx5: Fix default values in create CQ

Summary

In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/08469f5393a1a39f2…
	https://git.kernel.org/stable/c/e5eba42f01340f738…

Impacted products

Vendor

Product

Version

Linux

Affected: cdd04f4d4d71cbf93d0d9abe63bc838f47c467fa , < 08469f5393a1a39f26a6e2eb2e8c33187665c1f4 (git)
Affected: cdd04f4d4d71cbf93d0d9abe63bc838f47c467fa , < e5eba42f01340f73888dfe560be2806057c25913 (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/cq.c",
            "drivers/net/ethernet/mellanox/mlx5/core/cq.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
            "drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c",
            "drivers/net/ethernet/mellanox/mlx5/core/steering/hws/send.c",
            "drivers/net/ethernet/mellanox/mlx5/core/steering/sws/dr_send.c",
            "drivers/vdpa/mlx5/net/mlx5_vnet.c",
            "include/linux/mlx5/cq.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "08469f5393a1a39f26a6e2eb2e8c33187665c1f4",
              "status": "affected",
              "version": "cdd04f4d4d71cbf93d0d9abe63bc838f47c467fa",
              "versionType": "git"
            },
            {
              "lessThan": "e5eba42f01340f73888dfe560be2806057c25913",
              "status": "affected",
              "version": "cdd04f4d4d71cbf93d0d9abe63bc838f47c467fa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/mlx5/cq.c",
            "drivers/net/ethernet/mellanox/mlx5/core/cq.c",
            "drivers/net/ethernet/mellanox/mlx5/core/en_main.c",
            "drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c",
            "drivers/net/ethernet/mellanox/mlx5/core/steering/hws/send.c",
            "drivers/net/ethernet/mellanox/mlx5/core/steering/sws/dr_send.c",
            "drivers/vdpa/mlx5/net/mlx5_vnet.c",
            "include/linux/mlx5/cq.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlx5: Fix default values in create CQ\n\nCurrently, CQs without a completion function are assigned the\nmlx5_add_cq_to_tasklet function by default. This is problematic since\nonly user CQs created through the mlx5_ib driver are intended to use\nthis function.\n\nAdditionally, all CQs that will use doorbells instead of polling for\ncompletions must call mlx5_cq_arm. However, the default CQ creation flow\nleaves a valid value in the CQ\u0027s arm_db field, allowing FW to send\ninterrupts to polling-only CQs in certain corner cases.\n\nThese two factors would allow a polling-only kernel CQ to be triggered\nby an EQ interrupt and call a completion function intended only for user\nCQs, causing a null pointer exception.\n\nSome areas in the driver have prevented this issue with one-off fixes\nbut did not address the root cause.\n\nThis patch fixes the described issue by adding defaults to the create CQ\nflow. It adds a default dummy completion function to protect against\nnull pointer exceptions, and it sets an invalid command sequence number\nby default in kernel CQs to prevent the FW from sending an interrupt to\nthe CQ until it is armed. User CQs are responsible for their own\ninitialization values.\n\nCallers of mlx5_core_create_cq are responsible for changing the\ncompletion function and arming the CQ per their needs."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:48:36.098Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/08469f5393a1a39f26a6e2eb2e8c33187665c1f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5eba42f01340f73888dfe560be2806057c25913"
        }
      ],
      "title": "mlx5: Fix default values in create CQ",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68209",
    "datePublished": "2025-12-16T13:48:36.098Z",
    "dateReserved": "2025-12-16T13:41:40.255Z",
    "dateUpdated": "2025-12-16T13:48:36.098Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40346 (GCVE-0-2025-40346)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-16 13:30

Title

arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()

Summary

In the Linux kernel, the following vulnerability has been resolved: arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() which causes the code to proceed with NULL clock pointers. The current logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both valid pointers and NULL, leading to potential NULL pointer dereference in clk_get_rate(). Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: "The error code within @ptr if it is an error pointer; 0 otherwise." This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be called when of_clk_get() returns NULL. Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid pointers, preventing potential NULL pointer dereference in clk_get_rate().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/64da320252e43456c…
	https://git.kernel.org/stable/c/02fbea0864fd4a863…
	https://git.kernel.org/stable/c/a77f8434954cb1e9c…
	https://git.kernel.org/stable/c/3373f263bb647fcc3…
	https://git.kernel.org/stable/c/45379303124487db3…
	https://git.kernel.org/stable/c/3a01b2614e84361aa…
	https://git.kernel.org/stable/c/2eead19334516c8e9…

Impacted products

Vendor

Product

Version

Linux

Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 64da320252e43456cc9ec3055ff567f168467b37 (git)
Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 02fbea0864fd4a863671f5d418129258d7159f68 (git)
Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < a77f8434954cb1e9c42c3854e40855fdcf5ab235 (git)
Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 3373f263bb647fcc3b5237cfaef757633b9ee25e (git)
Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 45379303124487db3a81219af7565d41f498167f (git)
Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 3a01b2614e84361aa222f67bc628593987e5cdb2 (git)
Affected: b8fe128dad8f97cc9af7c55a264d1fc5ab677195 , < 2eead19334516c8e9927c11b448fbe512b1f18a1 (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.196 , ≤ 5.15.* (semver)
Unaffected: 6.1.158 , ≤ 6.1.* (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/arch_topology.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "64da320252e43456cc9ec3055ff567f168467b37",
              "status": "affected",
              "version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
              "versionType": "git"
            },
            {
              "lessThan": "02fbea0864fd4a863671f5d418129258d7159f68",
              "status": "affected",
              "version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
              "versionType": "git"
            },
            {
              "lessThan": "a77f8434954cb1e9c42c3854e40855fdcf5ab235",
              "status": "affected",
              "version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
              "versionType": "git"
            },
            {
              "lessThan": "3373f263bb647fcc3b5237cfaef757633b9ee25e",
              "status": "affected",
              "version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
              "versionType": "git"
            },
            {
              "lessThan": "45379303124487db3a81219af7565d41f498167f",
              "status": "affected",
              "version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
              "versionType": "git"
            },
            {
              "lessThan": "3a01b2614e84361aa222f67bc628593987e5cdb2",
              "status": "affected",
              "version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
              "versionType": "git"
            },
            {
              "lessThan": "2eead19334516c8e9927c11b448fbe512b1f18a1",
              "status": "affected",
              "version": "b8fe128dad8f97cc9af7c55a264d1fc5ab677195",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/arch_topology.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narch_topology: Fix incorrect error check in topology_parse_cpu_capacity()\n\nFix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity()\nwhich causes the code to proceed with NULL clock pointers. The current\nlogic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both\nvalid pointers and NULL, leading to potential NULL pointer dereference\nin clk_get_rate().\n\nPer include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns:\n\"The error code within @ptr if it is an error pointer; 0 otherwise.\"\n\nThis means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL\npointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed)\nwhen cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be\ncalled when of_clk_get() returns NULL.\n\nReplace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid\npointers, preventing potential NULL pointer dereference in clk_get_rate()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:30:20.395Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/64da320252e43456cc9ec3055ff567f168467b37"
        },
        {
          "url": "https://git.kernel.org/stable/c/02fbea0864fd4a863671f5d418129258d7159f68"
        },
        {
          "url": "https://git.kernel.org/stable/c/a77f8434954cb1e9c42c3854e40855fdcf5ab235"
        },
        {
          "url": "https://git.kernel.org/stable/c/3373f263bb647fcc3b5237cfaef757633b9ee25e"
        },
        {
          "url": "https://git.kernel.org/stable/c/45379303124487db3a81219af7565d41f498167f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a01b2614e84361aa222f67bc628593987e5cdb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/2eead19334516c8e9927c11b448fbe512b1f18a1"
        }
      ],
      "title": "arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40346",
    "datePublished": "2025-12-16T13:30:20.395Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-16T13:30:20.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68363 (GCVE-0-2025-68363)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-11 16:29

Title

bpf: Check skb->transport_header is set in bpf_skb_check_mtu

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Check skb->transport_header is set in bpf_skb_check_mtu The bpf_skb_check_mtu helper needs to use skb->transport_header when the BPF_MTU_CHK_SEGS flag is used: bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS) The transport_header is not always set. There is a WARN_ON_ONCE report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + bpf_prog_test_run is used: WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 skb_gso_validate_network_len bpf_skb_check_mtu bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch bpf_test_run bpf_prog_test_run_skb For a normal ingress skb (not test_run), skb_reset_transport_header is performed but there is plan to avoid setting it as described in commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()"). This patch fixes the bpf helper by checking skb_transport_header_was_set(). The check is done just before skb->transport_header is used, to avoid breaking the existing bpf prog. The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b3171a5e4622e915e…
	https://git.kernel.org/stable/c/97b876fa883226252…
	https://git.kernel.org/stable/c/30ce906557a21adef…
	https://git.kernel.org/stable/c/1c30e4afc5507f006…
	https://git.kernel.org/stable/c/942268e2726ac7f16…
	https://git.kernel.org/stable/c/d946f3c98328171fa…

Impacted products

Vendor

Product

Version

Linux

Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < b3171a5e4622e915e94599a55f4964078bdec27e (git)
Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 97b876fa88322625228792cf7a5fd77531815a80 (git)
Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 30ce906557a21adef4cba5901c8e995dc18263a9 (git)
Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 1c30e4afc5507f0069cc09bd561e510e4d97fbf7 (git)
Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < 942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5 (git)
Affected: 34b2021cc61642d61c3cf943d9e71925b827941b , < d946f3c98328171fa50ddb908593cf833587f725 (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b3171a5e4622e915e94599a55f4964078bdec27e",
              "status": "affected",
              "version": "34b2021cc61642d61c3cf943d9e71925b827941b",
              "versionType": "git"
            },
            {
              "lessThan": "97b876fa88322625228792cf7a5fd77531815a80",
              "status": "affected",
              "version": "34b2021cc61642d61c3cf943d9e71925b827941b",
              "versionType": "git"
            },
            {
              "lessThan": "30ce906557a21adef4cba5901c8e995dc18263a9",
              "status": "affected",
              "version": "34b2021cc61642d61c3cf943d9e71925b827941b",
              "versionType": "git"
            },
            {
              "lessThan": "1c30e4afc5507f0069cc09bd561e510e4d97fbf7",
              "status": "affected",
              "version": "34b2021cc61642d61c3cf943d9e71925b827941b",
              "versionType": "git"
            },
            {
              "lessThan": "942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5",
              "status": "affected",
              "version": "34b2021cc61642d61c3cf943d9e71925b827941b",
              "versionType": "git"
            },
            {
              "lessThan": "d946f3c98328171fa50ddb908593cf833587f725",
              "status": "affected",
              "version": "34b2021cc61642d61c3cf943d9e71925b827941b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check skb-\u003etransport_header is set in bpf_skb_check_mtu\n\nThe bpf_skb_check_mtu helper needs to use skb-\u003etransport_header when\nthe BPF_MTU_CHK_SEGS flag is used:\n\n\tbpf_skb_check_mtu(skb, ifindex, \u0026mtu_len, 0, BPF_MTU_CHK_SEGS)\n\nThe transport_header is not always set. There is a WARN_ON_ONCE\nreport when CONFIG_DEBUG_NET is enabled + skb-\u003egso_size is set +\nbpf_prog_test_run is used:\n\nWARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071\n skb_gso_validate_network_len\n bpf_skb_check_mtu\n bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch\n bpf_test_run\n bpf_prog_test_run_skb\n\nFor a normal ingress skb (not test_run), skb_reset_transport_header\nis performed but there is plan to avoid setting it as described in\ncommit 2170a1f09148 (\"net: no longer reset transport_header in __netif_receive_skb_core()\").\n\nThis patch fixes the bpf helper by checking\nskb_transport_header_was_set(). The check is done just before\nskb-\u003etransport_header is used, to avoid breaking the existing bpf prog.\nThe WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:29:58.261Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b3171a5e4622e915e94599a55f4964078bdec27e"
        },
        {
          "url": "https://git.kernel.org/stable/c/97b876fa88322625228792cf7a5fd77531815a80"
        },
        {
          "url": "https://git.kernel.org/stable/c/30ce906557a21adef4cba5901c8e995dc18263a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c30e4afc5507f0069cc09bd561e510e4d97fbf7"
        },
        {
          "url": "https://git.kernel.org/stable/c/942268e2726ac7f16e3ec49dbfbbbe7cf5af9da5"
        },
        {
          "url": "https://git.kernel.org/stable/c/d946f3c98328171fa50ddb908593cf833587f725"
        }
      ],
      "title": "bpf: Check skb-\u003etransport_header is set in bpf_skb_check_mtu",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68363",
    "datePublished": "2025-12-24T10:32:51.236Z",
    "dateReserved": "2025-12-16T14:48:05.308Z",
    "dateUpdated": "2026-01-11T16:29:58.261Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68298 (GCVE-0-2025-68298)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref In btusb_mtk_setup(), we set `btmtk_data->isopkt_intf` to: usb_ifnum_to_if(data->udev, MTK_ISO_IFNUM) That function can return NULL in some cases. Even when it returns NULL, though, we still go on to call btusb_mtk_claim_iso_intf(). As of commit e9087e828827 ("Bluetooth: btusb: mediatek: Add locks for usb_driver_claim_interface()"), calling btusb_mtk_claim_iso_intf() when `btmtk_data->isopkt_intf` is NULL will cause a crash because we'll end up passing a bad pointer to device_lock(). Prior to that commit we'd pass the NULL pointer directly to usb_driver_claim_interface() which would detect it and return an error, which was handled. Resolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check at the start of the function. This makes the code handle a NULL `btmtk_data->isopkt_intf` the same way it did before the problematic commit (just with a slight change to the error message printed).

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2fa09fe98ca3b114d…
	https://git.kernel.org/stable/c/c3b990e0b23068da6…
	https://git.kernel.org/stable/c/c884a0b27b4586e60…

Impacted products

Vendor

Product

Version

Linux

Affected: 930e1790b99e5839e1af69d2f7fd808f1fba2df9 , < 2fa09fe98ca3b114d66285f65f7e108fea131815 (git)
Affected: e9087e828827e5a5c85e124ce77503f2b81c3491 , < c3b990e0b23068da65f0004cd38ee31f43f36460 (git)
Affected: e9087e828827e5a5c85e124ce77503f2b81c3491 , < c884a0b27b4586e607431d86a1aa0bb4fb39169c (git)
Affected: 4194766ec8756f4f654d595ae49962acbac49490 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/btusb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2fa09fe98ca3b114d66285f65f7e108fea131815",
              "status": "affected",
              "version": "930e1790b99e5839e1af69d2f7fd808f1fba2df9",
              "versionType": "git"
            },
            {
              "lessThan": "c3b990e0b23068da65f0004cd38ee31f43f36460",
              "status": "affected",
              "version": "e9087e828827e5a5c85e124ce77503f2b81c3491",
              "versionType": "git"
            },
            {
              "lessThan": "c884a0b27b4586e607431d86a1aa0bb4fb39169c",
              "status": "affected",
              "version": "e9087e828827e5a5c85e124ce77503f2b81c3491",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4194766ec8756f4f654d595ae49962acbac49490",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/btusb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "6.12.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref\n\nIn btusb_mtk_setup(), we set `btmtk_data-\u003eisopkt_intf` to:\n  usb_ifnum_to_if(data-\u003eudev, MTK_ISO_IFNUM)\n\nThat function can return NULL in some cases. Even when it returns\nNULL, though, we still go on to call btusb_mtk_claim_iso_intf().\n\nAs of commit e9087e828827 (\"Bluetooth: btusb: mediatek: Add locks for\nusb_driver_claim_interface()\"), calling btusb_mtk_claim_iso_intf()\nwhen `btmtk_data-\u003eisopkt_intf` is NULL will cause a crash because\nwe\u0027ll end up passing a bad pointer to device_lock(). Prior to that\ncommit we\u0027d pass the NULL pointer directly to\nusb_driver_claim_interface() which would detect it and return an\nerror, which was handled.\n\nResolve the crash in btusb_mtk_claim_iso_intf() by adding a NULL check\nat the start of the function. This makes the code handle a NULL\n`btmtk_data-\u003eisopkt_intf` the same way it did before the problematic\ncommit (just with a slight change to the error message printed)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:17.526Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2fa09fe98ca3b114d66285f65f7e108fea131815"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3b990e0b23068da65f0004cd38ee31f43f36460"
        },
        {
          "url": "https://git.kernel.org/stable/c/c884a0b27b4586e607431d86a1aa0bb4fb39169c"
        }
      ],
      "title": "Bluetooth: btusb: mediatek: Avoid btusb_mtk_claim_iso_intf() NULL deref",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68298",
    "datePublished": "2025-12-16T15:06:17.526Z",
    "dateReserved": "2025-12-16T14:48:05.293Z",
    "dateUpdated": "2025-12-16T15:06:17.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-23559 (GCVE-0-2023-23559)

Vulnerability from cvelistv5 – Published: 2023-01-13 00:00 – Updated: 2025-05-05 16:05

Summary

In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

n/a

Assigner

mitre

References

URL

Tags

	https://patchwork.kernel.org/project/linux-wirele…
	https://security.netapp.com/advisory/ntap-2023030…
	https://lists.debian.org/debian-lts-announce/2023…	mailing-list
	https://lists.debian.org/debian-lts-announce/2023…	mailing-list
	https://git.kernel.org/cgit/linux/kernel/git/torv…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:35:33.175Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://patchwork.kernel.org/project/linux-wireless/patch/20230110173007.57110-1-szymon.heidrich%40gmail.com/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20230302-0003/"
          },
          {
            "name": "[debian-lts-announce] 20230502 [SECURITY] [DLA 3404-1] linux-5.10 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
          },
          {
            "name": "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b870e73a56c4cccbec33224233eaf295839f228c"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-23559",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:29:21.290984Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-05T16:05:27.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-25T00:41:20.856Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://patchwork.kernel.org/project/linux-wireless/patch/20230110173007.57110-1-szymon.heidrich%40gmail.com/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20230302-0003/"
        },
        {
          "name": "[debian-lts-announce] 20230502 [SECURITY] [DLA 3404-1] linux-5.10 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"
        },
        {
          "name": "[debian-lts-announce] 20230503 [SECURITY] [DLA 3403-1] linux security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html"
        },
        {
          "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b870e73a56c4cccbec33224233eaf295839f228c"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-23559",
    "datePublished": "2023-01-13T00:00:00.000Z",
    "dateReserved": "2023-01-13T00:00:00.000Z",
    "dateUpdated": "2025-05-05T16:05:27.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40311 (GCVE-0-2025-40311)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-20 08:52

Title

accel/habanalabs: support mapping cb with vmalloc-backed coherent memory

Summary

In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7ec8ac9f73d4a9438…
	https://git.kernel.org/stable/c/d1dfe21a332d38a6a…
	https://git.kernel.org/stable/c/73c7c2cdb442fc416…
	https://git.kernel.org/stable/c/513024d5a0e34fd34…

Impacted products

Vendor

Product

Version

Linux

Affected: ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < 7ec8ac9f73d4a9438c2186768d6de27ace37531e (git)
Affected: ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < d1dfe21a332d38a6a09658ec29a55940afb5fe36 (git)
Affected: ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < 73c7c2cdb442fc4160d2a2a4bfffbd162af06cb9 (git)
Affected: ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 , < 513024d5a0e34fd34247043f1876b6138ca52847 (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/habanalabs/gaudi/gaudi.c",
            "drivers/accel/habanalabs/gaudi2/gaudi2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7ec8ac9f73d4a9438c2186768d6de27ace37531e",
              "status": "affected",
              "version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
              "versionType": "git"
            },
            {
              "lessThan": "d1dfe21a332d38a6a09658ec29a55940afb5fe36",
              "status": "affected",
              "version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
              "versionType": "git"
            },
            {
              "lessThan": "73c7c2cdb442fc4160d2a2a4bfffbd162af06cb9",
              "status": "affected",
              "version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
              "versionType": "git"
            },
            {
              "lessThan": "513024d5a0e34fd34247043f1876b6138ca52847",
              "status": "affected",
              "version": "ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/habanalabs/gaudi/gaudi.c",
            "drivers/accel/habanalabs/gaudi2/gaudi2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/habanalabs: support mapping cb with vmalloc-backed coherent memory\n\nWhen IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return\naddresses from the vmalloc range. If such an address is mapped without\nVM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the\nVM_PFNMAP restriction.\n\nFix this by checking for vmalloc addresses and setting VM_MIXEDMAP\nin the VMA before mapping. This ensures safe mapping and avoids kernel\ncrashes. The memory is still driver-allocated and cannot be accessed\ndirectly by userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:52:00.934Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7ec8ac9f73d4a9438c2186768d6de27ace37531e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1dfe21a332d38a6a09658ec29a55940afb5fe36"
        },
        {
          "url": "https://git.kernel.org/stable/c/73c7c2cdb442fc4160d2a2a4bfffbd162af06cb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/513024d5a0e34fd34247043f1876b6138ca52847"
        }
      ],
      "title": "accel/habanalabs: support mapping cb with vmalloc-backed coherent memory",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40311",
    "datePublished": "2025-12-08T00:46:36.903Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2025-12-20T08:52:00.934Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-53254 (GCVE-0-2023-53254)

Vulnerability from cvelistv5 – Published: 2025-09-15 14:46 – Updated: 2026-01-14 18:02

Title

cacheinfo: Fix shared_cpu_map to handle shared caches at different levels

Summary

In the Linux kernel, the following vulnerability has been resolved: cacheinfo: Fix shared_cpu_map to handle shared caches at different levels The cacheinfo sets up the shared_cpu_map by checking whether the caches with the same index are shared between CPUs. However, this will trigger slab-out-of-bounds access if the CPUs do not have the same cache hierarchy. Another problem is the mismatched shared_cpu_map when the shared cache does not have the same index between CPUs. CPU0 I D L3 index 0 1 2 x ^ ^ ^ ^ index 0 1 2 3 CPU1 I D L2 L3 This patch checks each cache is shared with all caches on other CPUs.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2f588d0345d69a35e…
	https://git.kernel.org/stable/c/dea49f2993f57d8a2…
	https://git.kernel.org/stable/c/198102c9103fc78d8…

Impacted products

Vendor

Product

Version

Linux

Affected: 246246cbde5e840012f853e27630ebb59f409486 , < 2f588d0345d69a35e451077afed428fd057a5e34 (git)
Affected: 246246cbde5e840012f853e27630ebb59f409486 , < dea49f2993f57d8a2df2cacb0bf649ef49b28879 (git)
Affected: 246246cbde5e840012f853e27630ebb59f409486 , < 198102c9103fc78d8478495971947af77edb05c1 (git)

Linux

Affected: 3.19
Unaffected: 0 , < 3.19 (semver)
Unaffected: 6.1.18 , ≤ 6.1.* (semver)
Unaffected: 6.2.5 , ≤ 6.2.* (semver)
Unaffected: 6.3 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-53254",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T18:01:14.729698Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-125",
                "description": "CWE-125 Out-of-bounds Read",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-14T18:02:52.518Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/cacheinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2f588d0345d69a35e451077afed428fd057a5e34",
              "status": "affected",
              "version": "246246cbde5e840012f853e27630ebb59f409486",
              "versionType": "git"
            },
            {
              "lessThan": "dea49f2993f57d8a2df2cacb0bf649ef49b28879",
              "status": "affected",
              "version": "246246cbde5e840012f853e27630ebb59f409486",
              "versionType": "git"
            },
            {
              "lessThan": "198102c9103fc78d8478495971947af77edb05c1",
              "status": "affected",
              "version": "246246cbde5e840012f853e27630ebb59f409486",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/cacheinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.18",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.5",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncacheinfo: Fix shared_cpu_map to handle shared caches at different levels\n\nThe cacheinfo sets up the shared_cpu_map by checking whether the caches\nwith the same index are shared between CPUs. However, this will trigger\nslab-out-of-bounds access if the CPUs do not have the same cache hierarchy.\nAnother problem is the mismatched shared_cpu_map when the shared cache does\nnot have the same index between CPUs.\n\nCPU0\tI\tD\tL3\nindex\t0\t1\t2\tx\n\t^\t^\t^\t^\nindex\t0\t1\t2\t3\nCPU1\tI\tD\tL2\tL3\n\nThis patch checks each cache is shared with all caches on other CPUs."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:18:59.952Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2f588d0345d69a35e451077afed428fd057a5e34"
        },
        {
          "url": "https://git.kernel.org/stable/c/dea49f2993f57d8a2df2cacb0bf649ef49b28879"
        },
        {
          "url": "https://git.kernel.org/stable/c/198102c9103fc78d8478495971947af77edb05c1"
        }
      ],
      "title": "cacheinfo: Fix shared_cpu_map to handle shared caches at different levels",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53254",
    "datePublished": "2025-09-15T14:46:24.670Z",
    "dateReserved": "2025-09-15T14:19:21.849Z",
    "dateUpdated": "2026-01-14T18:02:52.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40179 (GCVE-0-2025-40179)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19

Title

ext4: verify orphan file size is not too big

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but large orphan files.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/95a21611b14ae0a40…
	https://git.kernel.org/stable/c/566a1d6084563bd07…
	https://git.kernel.org/stable/c/304fc34ff6fc82611…
	https://git.kernel.org/stable/c/a2d803fab8a6c6a87…
	https://git.kernel.org/stable/c/2b9da798ff0f4d026…
	https://git.kernel.org/stable/c/0a6ce20c156442a4c…

Impacted products

Vendor

Product

Version

Linux

Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 95a21611b14ae0a401720645245a8db16f040995 (git)
Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 566a1d6084563bd07433025aa23bcea4427de107 (git)
Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 304fc34ff6fc8261138fd81f119e024ac3a129e9 (git)
Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < a2d803fab8a6c6a874277cb80156dc114db91921 (git)
Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 2b9da798ff0f4d026c5f0f815047393ebe7d8859 (git)
Affected: 02f310fcf47fa9311d6ba2946a8d19e7d7d11f37 , < 0a6ce20c156442a4ce2a404747bb0fb05d54eeb3 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.157 , ≤ 6.1.* (semver)
Unaffected: 6.6.113 , ≤ 6.6.* (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/orphan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "95a21611b14ae0a401720645245a8db16f040995",
              "status": "affected",
              "version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
              "versionType": "git"
            },
            {
              "lessThan": "566a1d6084563bd07433025aa23bcea4427de107",
              "status": "affected",
              "version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
              "versionType": "git"
            },
            {
              "lessThan": "304fc34ff6fc8261138fd81f119e024ac3a129e9",
              "status": "affected",
              "version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
              "versionType": "git"
            },
            {
              "lessThan": "a2d803fab8a6c6a874277cb80156dc114db91921",
              "status": "affected",
              "version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
              "versionType": "git"
            },
            {
              "lessThan": "2b9da798ff0f4d026c5f0f815047393ebe7d8859",
              "status": "affected",
              "version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
              "versionType": "git"
            },
            {
              "lessThan": "0a6ce20c156442a4ce2a404747bb0fb05d54eeb3",
              "status": "affected",
              "version": "02f310fcf47fa9311d6ba2946a8d19e7d7d11f37",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/orphan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: verify orphan file size is not too big\n\nIn principle orphan file can be arbitrarily large. However orphan replay\nneeds to traverse it all and we also pin all its buffers in memory. Thus\nfilesystems with absurdly large orphan files can lead to big amounts of\nmemory consumed. Limit orphan file size to a sane value and also use\nkvmalloc() for allocating array of block descriptor structures to avoid\nlarge order allocations for sane but large orphan files."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:19:35.872Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/95a21611b14ae0a401720645245a8db16f040995"
        },
        {
          "url": "https://git.kernel.org/stable/c/566a1d6084563bd07433025aa23bcea4427de107"
        },
        {
          "url": "https://git.kernel.org/stable/c/304fc34ff6fc8261138fd81f119e024ac3a129e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2d803fab8a6c6a874277cb80156dc114db91921"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b9da798ff0f4d026c5f0f815047393ebe7d8859"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a6ce20c156442a4ce2a404747bb0fb05d54eeb3"
        }
      ],
      "title": "ext4: verify orphan file size is not too big",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40179",
    "datePublished": "2025-11-12T21:56:24.882Z",
    "dateReserved": "2025-04-16T07:20:57.177Z",
    "dateUpdated": "2025-12-01T06:19:35.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68171 (GCVE-0-2025-68171)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42

Title

x86/fpu: Ensure XFD state on signal delivery

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: <TASK> fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/eefbfb722042fc921…
	https://git.kernel.org/stable/c/1811c610653c0cd21…
	https://git.kernel.org/stable/c/5b2619b488f1d08b9…
	https://git.kernel.org/stable/c/3f735419c4b43cde4…
	https://git.kernel.org/stable/c/388eff894d6bc5f92…

Impacted products

Vendor

Product

Version

Linux

Affected: 672365477ae8afca5a1cca98c1deb733235e4525 , < eefbfb722042fc9210d2e0ac2b063fd1abf51895 (git)
Affected: 672365477ae8afca5a1cca98c1deb733235e4525 , < 1811c610653c0cd21cc9add14595b7cffaeca511 (git)
Affected: 672365477ae8afca5a1cca98c1deb733235e4525 , < 5b2619b488f1d08b960c43c6468dd0759e8b3035 (git)
Affected: 672365477ae8afca5a1cca98c1deb733235e4525 , < 3f735419c4b43cde42e6d408db39137b82474e31 (git)
Affected: 672365477ae8afca5a1cca98c1deb733235e4525 , < 388eff894d6bc5f921e9bfff0e4b0ab2684a96e9 (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/fpu/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "eefbfb722042fc9210d2e0ac2b063fd1abf51895",
              "status": "affected",
              "version": "672365477ae8afca5a1cca98c1deb733235e4525",
              "versionType": "git"
            },
            {
              "lessThan": "1811c610653c0cd21cc9add14595b7cffaeca511",
              "status": "affected",
              "version": "672365477ae8afca5a1cca98c1deb733235e4525",
              "versionType": "git"
            },
            {
              "lessThan": "5b2619b488f1d08b960c43c6468dd0759e8b3035",
              "status": "affected",
              "version": "672365477ae8afca5a1cca98c1deb733235e4525",
              "versionType": "git"
            },
            {
              "lessThan": "3f735419c4b43cde42e6d408db39137b82474e31",
              "status": "affected",
              "version": "672365477ae8afca5a1cca98c1deb733235e4525",
              "versionType": "git"
            },
            {
              "lessThan": "388eff894d6bc5f921e9bfff0e4b0ab2684a96e9",
              "status": "affected",
              "version": "672365477ae8afca5a1cca98c1deb733235e4525",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/fpu/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Ensure XFD state on signal delivery\n\nSean reported [1] the following splat when running KVM tests:\n\n   WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70\n   Call Trace:\n    \u003cTASK\u003e\n    fpu__clear_user_states+0x9c/0x100\n    arch_do_signal_or_restart+0x142/0x210\n    exit_to_user_mode_loop+0x55/0x100\n    do_syscall_64+0x205/0x2c0\n    entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nChao further identified [2] a reproducible scenario involving signal\ndelivery: a non-AMX task is preempted by an AMX-enabled task which\nmodifies the XFD MSR.\n\nWhen the non-AMX task resumes and reloads XSTATE with init values,\na warning is triggered due to a mismatch between fpstate::xfd and the\nCPU\u0027s current XFD state. fpu__clear_user_states() does not currently\nre-synchronize the XFD state after such preemption.\n\nInvoke xfd_update_state() which detects and corrects the mismatch if\nthere is a dynamic feature.\n\nThis also benefits the sigreturn path, as fpu__restore_sig() may call\nfpu__clear_user_states() when the sigframe is inaccessible.\n\n[ dhansen: minor changelog munging ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:42:51.121Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/eefbfb722042fc9210d2e0ac2b063fd1abf51895"
        },
        {
          "url": "https://git.kernel.org/stable/c/1811c610653c0cd21cc9add14595b7cffaeca511"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b2619b488f1d08b960c43c6468dd0759e8b3035"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f735419c4b43cde42e6d408db39137b82474e31"
        },
        {
          "url": "https://git.kernel.org/stable/c/388eff894d6bc5f921e9bfff0e4b0ab2684a96e9"
        }
      ],
      "title": "x86/fpu: Ensure XFD state on signal delivery",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68171",
    "datePublished": "2025-12-16T13:42:51.121Z",
    "dateReserved": "2025-12-16T13:41:40.251Z",
    "dateUpdated": "2025-12-16T13:42:51.121Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68302 (GCVE-0-2025-68302)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

net: sxgbe: fix potential NULL dereference in sxgbe_rx()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: sxgbe: fix potential NULL dereference in sxgbe_rx() Currently, when skb is null, the driver prints an error and then dereferences skb on the next line. To fix this, let's add a 'break' after the error message to switch to sxgbe_rx_refill(), which is similar to the approach taken by the other drivers in this particular case, e.g. calxeda with xgmac_rx(). Found during a code review.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ac171c3c755499c9f…
	https://git.kernel.org/stable/c/18ef3ad1bb57dcf1a…
	https://git.kernel.org/stable/c/46e5332126596a2ca…
	https://git.kernel.org/stable/c/7fd789d6ea4915034…
	https://git.kernel.org/stable/c/45b5b4ddb8d6bea5f…
	https://git.kernel.org/stable/c/88f46c0be77bfe458…
	https://git.kernel.org/stable/c/f5bce28f6b9125502…

Impacted products

Vendor

Product

Version

Linux

Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < ac171c3c755499c9f87fe30b920602255f8b5648 (git)
Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 18ef3ad1bb57dcf1a9ee61736039aedccf670b21 (git)
Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 46e5332126596a2ca791140feab18ce1fc1a3c86 (git)
Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 7fd789d6ea4915034eb6bcb72f6883c8151083e5 (git)
Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc (git)
Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < 88f46c0be77bfe45830ac33102c75be7c34ac3f3 (git)
Affected: 1edb9ca69e8a7988900fc0283e10550b5592164d , < f5bce28f6b9125502abec4a67d68eabcd24b3b17 (git)

Linux

Affected: 3.15
Unaffected: 0 , < 3.15 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ac171c3c755499c9f87fe30b920602255f8b5648",
              "status": "affected",
              "version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
              "versionType": "git"
            },
            {
              "lessThan": "18ef3ad1bb57dcf1a9ee61736039aedccf670b21",
              "status": "affected",
              "version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
              "versionType": "git"
            },
            {
              "lessThan": "46e5332126596a2ca791140feab18ce1fc1a3c86",
              "status": "affected",
              "version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
              "versionType": "git"
            },
            {
              "lessThan": "7fd789d6ea4915034eb6bcb72f6883c8151083e5",
              "status": "affected",
              "version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
              "versionType": "git"
            },
            {
              "lessThan": "45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc",
              "status": "affected",
              "version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
              "versionType": "git"
            },
            {
              "lessThan": "88f46c0be77bfe45830ac33102c75be7c34ac3f3",
              "status": "affected",
              "version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
              "versionType": "git"
            },
            {
              "lessThan": "f5bce28f6b9125502abec4a67d68eabcd24b3b17",
              "status": "affected",
              "version": "1edb9ca69e8a7988900fc0283e10550b5592164d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/samsung/sxgbe/sxgbe_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.15"
            },
            {
              "lessThan": "3.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sxgbe: fix potential NULL dereference in sxgbe_rx()\n\nCurrently, when skb is null, the driver prints an error and then\ndereferences skb on the next line.\n\nTo fix this, let\u0027s add a \u0027break\u0027 after the error message to switch\nto sxgbe_rx_refill(), which is similar to the approach taken by the\nother drivers in this particular case, e.g. calxeda with xgmac_rx().\n\nFound during a code review."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:20.420Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ac171c3c755499c9f87fe30b920602255f8b5648"
        },
        {
          "url": "https://git.kernel.org/stable/c/18ef3ad1bb57dcf1a9ee61736039aedccf670b21"
        },
        {
          "url": "https://git.kernel.org/stable/c/46e5332126596a2ca791140feab18ce1fc1a3c86"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fd789d6ea4915034eb6bcb72f6883c8151083e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/45b5b4ddb8d6bea5fc1625ff6f163bbb125d49cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/88f46c0be77bfe45830ac33102c75be7c34ac3f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5bce28f6b9125502abec4a67d68eabcd24b3b17"
        }
      ],
      "title": "net: sxgbe: fix potential NULL dereference in sxgbe_rx()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68302",
    "datePublished": "2025-12-16T15:06:20.420Z",
    "dateReserved": "2025-12-16T14:48:05.293Z",
    "dateUpdated": "2025-12-16T15:06:20.420Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50668 (GCVE-0-2022-50668)

Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29

Title

ext4: fix deadlock due to mbcache entry corruption

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: fix deadlock due to mbcache entry corruption When manipulating xattr blocks, we can deadlock infinitely looping inside ext4_xattr_block_set() where we constantly keep finding xattr block for reuse in mbcache but we are unable to reuse it because its reference count is too big. This happens because cache entry for the xattr block is marked as reusable (e_reusable set) although its reference count is too big. When this inconsistency happens, this inconsistent state is kept indefinitely and so ext4_xattr_block_set() keeps retrying indefinitely. The inconsistent state is caused by non-atomic update of e_reusable bit. e_reusable is part of a bitfield and e_reusable update can race with update of e_referenced bit in the same bitfield resulting in loss of one of the updates. Fix the problem by using atomic bitops instead. This bug has been around for many years, but it became *much* easier to hit after commit 65f8b80053a1 ("ext4: fix race when reusing xattr blocks").

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/efaa0ca678f56d473…
	https://git.kernel.org/stable/c/af53065276376750d…
	https://git.kernel.org/stable/c/1be16a0c2f10186df…
	https://git.kernel.org/stable/c/5bc0b2fda4b47c862…
	https://git.kernel.org/stable/c/127b80cefb941a812…
	https://git.kernel.org/stable/c/cc1538c693d25e282…
	https://git.kernel.org/stable/c/a44e84a9b7764c728…

Impacted products

Vendor

Product

Version

Linux

Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < efaa0ca678f56d47316a08030b2515678cebbc50 (git)
Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < af53065276376750dfac35a7248af18806404c5d (git)
Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < 1be16a0c2f10186df505e28b0cc92d7f3366e2a8 (git)
Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < 5bc0b2fda4b47c86278f7c6d30c211f425bf51cf (git)
Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < 127b80cefb941a81255c72f11081123f3a705369 (git)
Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < cc1538c693d25e282bed8c54b65c914a04023a78 (git)
Affected: 6048c64b26097a0ffbd966866b599f990e674e9b , < a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd (git)

Linux

Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.87 , ≤ 5.15.* (semver)
Unaffected: 6.0.18 , ≤ 6.0.* (semver)
Unaffected: 6.1.4 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/xattr.c",
            "fs/mbcache.c",
            "include/linux/mbcache.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "efaa0ca678f56d47316a08030b2515678cebbc50",
              "status": "affected",
              "version": "6048c64b26097a0ffbd966866b599f990e674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "af53065276376750dfac35a7248af18806404c5d",
              "status": "affected",
              "version": "6048c64b26097a0ffbd966866b599f990e674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "1be16a0c2f10186df505e28b0cc92d7f3366e2a8",
              "status": "affected",
              "version": "6048c64b26097a0ffbd966866b599f990e674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "5bc0b2fda4b47c86278f7c6d30c211f425bf51cf",
              "status": "affected",
              "version": "6048c64b26097a0ffbd966866b599f990e674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "127b80cefb941a81255c72f11081123f3a705369",
              "status": "affected",
              "version": "6048c64b26097a0ffbd966866b599f990e674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "cc1538c693d25e282bed8c54b65c914a04023a78",
              "status": "affected",
              "version": "6048c64b26097a0ffbd966866b599f990e674e9b",
              "versionType": "git"
            },
            {
              "lessThan": "a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd",
              "status": "affected",
              "version": "6048c64b26097a0ffbd966866b599f990e674e9b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/xattr.c",
            "fs/mbcache.c",
            "include/linux/mbcache.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.18",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.4",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix deadlock due to mbcache entry corruption\n\nWhen manipulating xattr blocks, we can deadlock infinitely looping\ninside ext4_xattr_block_set() where we constantly keep finding xattr\nblock for reuse in mbcache but we are unable to reuse it because its\nreference count is too big. This happens because cache entry for the\nxattr block is marked as reusable (e_reusable set) although its\nreference count is too big. When this inconsistency happens, this\ninconsistent state is kept indefinitely and so ext4_xattr_block_set()\nkeeps retrying indefinitely.\n\nThe inconsistent state is caused by non-atomic update of e_reusable bit.\ne_reusable is part of a bitfield and e_reusable update can race with\nupdate of e_referenced bit in the same bitfield resulting in loss of one\nof the updates. Fix the problem by using atomic bitops instead.\n\nThis bug has been around for many years, but it became *much* easier\nto hit after commit 65f8b80053a1 (\"ext4: fix race when reusing xattr\nblocks\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T01:29:19.526Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/efaa0ca678f56d47316a08030b2515678cebbc50"
        },
        {
          "url": "https://git.kernel.org/stable/c/af53065276376750dfac35a7248af18806404c5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1be16a0c2f10186df505e28b0cc92d7f3366e2a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5bc0b2fda4b47c86278f7c6d30c211f425bf51cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/127b80cefb941a81255c72f11081123f3a705369"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc1538c693d25e282bed8c54b65c914a04023a78"
        },
        {
          "url": "https://git.kernel.org/stable/c/a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd"
        }
      ],
      "title": "ext4: fix deadlock due to mbcache entry corruption",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50668",
    "datePublished": "2025-12-09T01:29:19.526Z",
    "dateReserved": "2025-12-09T01:26:45.990Z",
    "dateUpdated": "2025-12-09T01:29:19.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68215 (GCVE-0-2025-68215)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57

Title

ice: fix PTP cleanup on driver removal in error path

Summary

In the Linux kernel, the following vulnerability has been resolved: ice: fix PTP cleanup on driver removal in error path Improve the cleanup on releasing PTP resources in error path. The error case might happen either at the driver probe and PTP feature initialization or on PTP restart (errors in reset handling, NVM update etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf function) and 'ps_lock' mutex deinitialization were missed. Additionally, ptp clock was not unregistered in the latter case. Keep PTP state as 'uninitialized' on init to distinguish between error scenarios and to avoid resource release duplication at driver removal. The consequence of missing ice_ptp_cleanup_pf call is the following call trace dumped when ice_adapter object is freed (port list is not empty, as it is required at this stage): [ T93022] ------------[ cut here ]------------ [ T93022] WARNING: CPU: 10 PID: 93022 at ice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice] ... [ T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice] ... [ T93022] Call Trace: [ T93022] <TASK> [ T93022] ? ice_adapter_put+0xef/0x100 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] [ T93022] ? __warn.cold+0xb0/0x10e [ T93022] ? ice_adapter_put+0xef/0x100 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] [ T93022] ? report_bug+0xd8/0x150 [ T93022] ? handle_bug+0xe9/0x110 [ T93022] ? exc_invalid_op+0x17/0x70 [ T93022] ? asm_exc_invalid_op+0x1a/0x20 [ T93022] ? ice_adapter_put+0xef/0x100 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] [ T93022] pci_device_remove+0x42/0xb0 [ T93022] device_release_driver_internal+0x19f/0x200 [ T93022] driver_detach+0x48/0x90 [ T93022] bus_remove_driver+0x70/0xf0 [ T93022] pci_unregister_driver+0x42/0xb0 [ T93022] ice_module_exit+0x10/0xdb0 [ice 33d2647ad4f6d866d41eefff1806df37c68aef0c] ... [ T93022] ---[ end trace 0000000000000000 ]--- [ T93022] ice: module unloaded

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f5eb91f876ebecbcd…
	https://git.kernel.org/stable/c/765236f2c4fbba765…
	https://git.kernel.org/stable/c/23a5b9b12de9dcd15…

Impacted products

Vendor

Product

Version

Linux

Affected: 2f59743be4d9568cad2d9cf697d1b897975421ed , < f5eb91f876ebecbcd90f9edcaea98dcb354603b3 (git)
Affected: e800654e85b5b27966fc6493201f5f8cf658beb6 , < 765236f2c4fbba7650436b71a0e350500e9ec15f (git)
Affected: e800654e85b5b27966fc6493201f5f8cf658beb6 , < 23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_ptp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f5eb91f876ebecbcd90f9edcaea98dcb354603b3",
              "status": "affected",
              "version": "2f59743be4d9568cad2d9cf697d1b897975421ed",
              "versionType": "git"
            },
            {
              "lessThan": "765236f2c4fbba7650436b71a0e350500e9ec15f",
              "status": "affected",
              "version": "e800654e85b5b27966fc6493201f5f8cf658beb6",
              "versionType": "git"
            },
            {
              "lessThan": "23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0",
              "status": "affected",
              "version": "e800654e85b5b27966fc6493201f5f8cf658beb6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_ptp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "6.12.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix PTP cleanup on driver removal in error path\n\nImprove the cleanup on releasing PTP resources in error path.\nThe error case might happen either at the driver probe and PTP\nfeature initialization or on PTP restart (errors in reset handling, NVM\nupdate etc). In both cases, calls to PF PTP cleanup (ice_ptp_cleanup_pf\nfunction) and \u0027ps_lock\u0027 mutex deinitialization were missed.\nAdditionally, ptp clock was not unregistered in the latter case.\n\nKeep PTP state as \u0027uninitialized\u0027 on init to distinguish between error\nscenarios and to avoid resource release duplication at driver removal.\n\nThe consequence of missing ice_ptp_cleanup_pf call is the following call\ntrace dumped when ice_adapter object is freed (port list is not empty,\nas it is required at this stage):\n\n[  T93022] ------------[ cut here ]------------\n[  T93022] WARNING: CPU: 10 PID: 93022 at\nice/ice_adapter.c:67 ice_adapter_put+0xef/0x100 [ice]\n...\n[  T93022] RIP: 0010:ice_adapter_put+0xef/0x100 [ice]\n...\n[  T93022] Call Trace:\n[  T93022]  \u003cTASK\u003e\n[  T93022]  ? ice_adapter_put+0xef/0x100 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n[  T93022]  ? __warn.cold+0xb0/0x10e\n[  T93022]  ? ice_adapter_put+0xef/0x100 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n[  T93022]  ? report_bug+0xd8/0x150\n[  T93022]  ? handle_bug+0xe9/0x110\n[  T93022]  ? exc_invalid_op+0x17/0x70\n[  T93022]  ? asm_exc_invalid_op+0x1a/0x20\n[  T93022]  ? ice_adapter_put+0xef/0x100 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n[  T93022]  pci_device_remove+0x42/0xb0\n[  T93022]  device_release_driver_internal+0x19f/0x200\n[  T93022]  driver_detach+0x48/0x90\n[  T93022]  bus_remove_driver+0x70/0xf0\n[  T93022]  pci_unregister_driver+0x42/0xb0\n[  T93022]  ice_module_exit+0x10/0xdb0 [ice\n33d2647ad4f6d866d41eefff1806df37c68aef0c]\n...\n[  T93022] ---[ end trace 0000000000000000 ]---\n[  T93022] ice: module unloaded"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:57:10.576Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f5eb91f876ebecbcd90f9edcaea98dcb354603b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/765236f2c4fbba7650436b71a0e350500e9ec15f"
        },
        {
          "url": "https://git.kernel.org/stable/c/23a5b9b12de9dcd15ebae4f1abc8814ec1c51ab0"
        }
      ],
      "title": "ice: fix PTP cleanup on driver removal in error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68215",
    "datePublished": "2025-12-16T13:57:10.576Z",
    "dateReserved": "2025-12-16T13:41:40.256Z",
    "dateUpdated": "2025-12-16T13:57:10.576Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68327 (GCVE-0-2025-68327)

Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:13

Title

usb: renesas_usbhs: Fix synchronous external abort on unbind

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Fix synchronous external abort on unbind A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is executed after the configuration sequence described above: modprobe usb_f_ecm modprobe libcomposite modprobe configfs cd /sys/kernel/config/usb_gadget mkdir -p g1 cd g1 echo "0x1d6b" > idVendor echo "0x0104" > idProduct mkdir -p strings/0x409 echo "0123456789" > strings/0x409/serialnumber echo "Renesas." > strings/0x409/manufacturer echo "Ethernet Gadget" > strings/0x409/product mkdir -p functions/ecm.usb0 mkdir -p configs/c.1 mkdir -p configs/c.1/strings/0x409 echo "ECM" > configs/c.1/strings/0x409/configuration if [ ! -L configs/c.1/ecm.usb0 ]; then ln -s functions/ecm.usb0 configs/c.1 fi echo 11e20000.usb > UDC echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind The displayed trace is as follows: Internal error: synchronous external abort: 0000000096000010 [#1] SMP CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT Tainted: [M]=MACHINE_CHECK Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs] sp : ffff8000838b3920 x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810 x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000 x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020 x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344 x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000 x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418 x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80 Call trace: usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P) usbhsg_pullup+0x4c/0x7c [renesas_usbhs] usb_gadget_disconnect_locked+0x48/0xd4 gadget_unbind_driver+0x44/0x114 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 device_release_driver+0x18/0x24 bus_remove_device+0xcc/0x10c device_del+0x14c/0x404 usb_del_gadget+0x88/0xc0 usb_del_gadget_udc+0x18/0x30 usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs] usbhs_mod_remove+0x20/0x30 [renesas_usbhs] usbhs_remove+0x98/0xdc [renesas_usbhs] platform_remove+0x20/0x30 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 device_driver_detach+0x18/0x24 unbind_store+0xb4/0xb8 drv_attr_store+0x24/0x38 sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x128/0x1b8 vfs_write+0x2ac/0x350 ksys_write+0x68/0xfc __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021) ---[ end trace 0000000000000000 ]--- note: sh[188] exited with irqs disabled note: sh[188] exited with preempt_count 1 The issue occurs because usbhs_sys_function_pullup(), which accesses the IP registers, is executed after the USBHS clocks have been disabled. The problem is reproducible on the Renesas RZ/G3S SoC starting with the addition of module stop in the clock enable/disable APIs. With module stop functionality enabled, a bus error is expected if a master accesses a module whose clock has been stopped and module stop activated. Disable the IP clocks at the end of remove.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fd1a7bf3a8cac13f6…
	https://git.kernel.org/stable/c/cd5e86e34c66a831b…
	https://git.kernel.org/stable/c/230b1bc1310edcd5c…
	https://git.kernel.org/stable/c/9d86bc8b188a77c8d…
	https://git.kernel.org/stable/c/26838f147aeaa8f82…
	https://git.kernel.org/stable/c/aa658a6d5ac21c7cd…
	https://git.kernel.org/stable/c/eb9ac779830b22358…

Impacted products

Vendor

Product

Version

Linux

Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a (git)
Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < cd5e86e34c66a831b5cb9b720ad411a006962cc8 (git)
Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < 230b1bc1310edcd5c1b71dcd6b77ccba43139cb5 (git)
Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < 9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1 (git)
Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < 26838f147aeaa8f820ff799d72815fba5e209bd9 (git)
Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < aa658a6d5ac21c7cde54c6d015f2d4daff32e02d (git)
Affected: f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 , < eb9ac779830b2235847b72cb15cf07c7e3333c5e (git)

Linux

Affected: 3.0
Unaffected: 0 , < 3.0 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/renesas_usbhs/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "cd5e86e34c66a831b5cb9b720ad411a006962cc8",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "230b1bc1310edcd5c1b71dcd6b77ccba43139cb5",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "26838f147aeaa8f820ff799d72815fba5e209bd9",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "aa658a6d5ac21c7cde54c6d015f2d4daff32e02d",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            },
            {
              "lessThan": "eb9ac779830b2235847b72cb15cf07c7e3333c5e",
              "status": "affected",
              "version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/renesas_usbhs/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "lessThan": "3.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Fix synchronous external abort on unbind\n\nA synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is\nexecuted after the configuration sequence described above:\n\nmodprobe usb_f_ecm\nmodprobe libcomposite\nmodprobe configfs\ncd /sys/kernel/config/usb_gadget\nmkdir -p g1\ncd g1\necho \"0x1d6b\" \u003e idVendor\necho \"0x0104\" \u003e idProduct\nmkdir -p strings/0x409\necho \"0123456789\" \u003e strings/0x409/serialnumber\necho \"Renesas.\" \u003e strings/0x409/manufacturer\necho \"Ethernet Gadget\" \u003e strings/0x409/product\nmkdir -p functions/ecm.usb0\nmkdir -p configs/c.1\nmkdir -p configs/c.1/strings/0x409\necho \"ECM\" \u003e configs/c.1/strings/0x409/configuration\n\nif [ ! -L configs/c.1/ecm.usb0 ]; then\n        ln -s functions/ecm.usb0 configs/c.1\nfi\n\necho 11e20000.usb \u003e UDC\necho 11e20000.usb \u003e /sys/bus/platform/drivers/renesas_usbhs/unbind\n\nThe displayed trace is as follows:\n\n Internal error: synchronous external abort: 0000000096000010 [#1] SMP\n CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT\n Tainted: [M]=MACHINE_CHECK\n Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT)\n pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs]\n lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs]\n sp : ffff8000838b3920\n x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000\n x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810\n x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000\n x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020\n x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344\n x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000\n x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418\n x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d\n x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000\n x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80\n Call trace:\n usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P)\n usbhsg_pullup+0x4c/0x7c [renesas_usbhs]\n usb_gadget_disconnect_locked+0x48/0xd4\n gadget_unbind_driver+0x44/0x114\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n device_release_driver+0x18/0x24\n bus_remove_device+0xcc/0x10c\n device_del+0x14c/0x404\n usb_del_gadget+0x88/0xc0\n usb_del_gadget_udc+0x18/0x30\n usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs]\n usbhs_mod_remove+0x20/0x30 [renesas_usbhs]\n usbhs_remove+0x98/0xdc [renesas_usbhs]\n platform_remove+0x20/0x30\n device_remove+0x4c/0x80\n device_release_driver_internal+0x1c8/0x224\n device_driver_detach+0x18/0x24\n unbind_store+0xb4/0xb8\n drv_attr_store+0x24/0x38\n sysfs_kf_write+0x7c/0x94\n kernfs_fop_write_iter+0x128/0x1b8\n vfs_write+0x2ac/0x350\n ksys_write+0x68/0xfc\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x110\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0xf0\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\n Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021)\n ---[ end trace 0000000000000000 ]---\n note: sh[188] exited with irqs disabled\n note: sh[188] exited with preempt_count 1\n\nThe issue occurs because usbhs_sys_function_pullup(), which accesses the IP\nregisters, is executed after the USBHS clocks have been disabled. The\nproblem is reproducible on the Renesas RZ/G3S SoC starting with the\naddition of module stop in the clock enable/disable APIs. With module stop\nfunctionality enabled, a bus error is expected if a master accesses a\nmodule whose clock has been stopped and module stop activated.\n\nDisable the IP clocks at the end of remove."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-22T16:13:58.409Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fd1a7bf3a8cac13f6d2d52d8c7570ba41621db9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd5e86e34c66a831b5cb9b720ad411a006962cc8"
        },
        {
          "url": "https://git.kernel.org/stable/c/230b1bc1310edcd5c1b71dcd6b77ccba43139cb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d86bc8b188a77c8d6f7252280ec2bd24ad6fbc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/26838f147aeaa8f820ff799d72815fba5e209bd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa658a6d5ac21c7cde54c6d015f2d4daff32e02d"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb9ac779830b2235847b72cb15cf07c7e3333c5e"
        }
      ],
      "title": "usb: renesas_usbhs: Fix synchronous external abort on unbind",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68327",
    "datePublished": "2025-12-22T16:12:21.402Z",
    "dateReserved": "2025-12-16T14:48:05.296Z",
    "dateUpdated": "2025-12-22T16:13:58.409Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40214 (GCVE-0-2025-40214)

Vulnerability from cvelistv5 – Published: 2025-12-04 12:38 – Updated: 2025-12-06 21:38

Title

af_unix: Initialise scc_index in unix_add_edge().

Summary

In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/20003fbb9174121b2…
	https://git.kernel.org/stable/c/4cd8d755c7d4f515d…
	https://git.kernel.org/stable/c/db81ad20fd8aef7cc…
	https://git.kernel.org/stable/c/1aa7e40ee850c9053…
	https://git.kernel.org/stable/c/60e6489f8e3b086bd…

Impacted products

Vendor

Product

Version

Linux

Affected: adfb68b39b39767d6bfb53e48c4f19c183765686 , < 20003fbb9174121b27bd1da6ebe61542ac4c327d (git)
Affected: d23802221f6755e104606864067c71af8cdb6788 , < 4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3 (git)
Affected: ad081928a8b0f57f269df999a28087fce6f2b6ce , < db81ad20fd8aef7cc7d536c52ee5ea4c1f979128 (git)
Affected: ad081928a8b0f57f269df999a28087fce6f2b6ce , < 1aa7e40ee850c9053e769957ce6541173891204d (git)
Affected: ad081928a8b0f57f269df999a28087fce6f2b6ce , < 60e6489f8e3b086bd1130ad4450a2c112e863791 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/unix/garbage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "20003fbb9174121b27bd1da6ebe61542ac4c327d",
              "status": "affected",
              "version": "adfb68b39b39767d6bfb53e48c4f19c183765686",
              "versionType": "git"
            },
            {
              "lessThan": "4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3",
              "status": "affected",
              "version": "d23802221f6755e104606864067c71af8cdb6788",
              "versionType": "git"
            },
            {
              "lessThan": "db81ad20fd8aef7cc7d536c52ee5ea4c1f979128",
              "status": "affected",
              "version": "ad081928a8b0f57f269df999a28087fce6f2b6ce",
              "versionType": "git"
            },
            {
              "lessThan": "1aa7e40ee850c9053e769957ce6541173891204d",
              "status": "affected",
              "version": "ad081928a8b0f57f269df999a28087fce6f2b6ce",
              "versionType": "git"
            },
            {
              "lessThan": "60e6489f8e3b086bd1130ad4450a2c112e863791",
              "status": "affected",
              "version": "ad081928a8b0f57f269df999a28087fce6f2b6ce",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/unix/garbage.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1.141",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Initialise scc_index in unix_add_edge().\n\nQuang Le reported that the AF_UNIX GC could garbage-collect a\nreceive queue of an alive in-flight socket, with a nice repro.\n\nThe repro consists of three stages.\n\n  1)\n    1-a. Create a single cyclic reference with many sockets\n    1-b. close() all sockets\n    1-c. Trigger GC\n\n  2)\n    2-a. Pass sk-A to an embryo sk-B\n    2-b. Pass sk-X to sk-X\n    2-c. Trigger GC\n\n  3)\n    3-a. accept() the embryo sk-B\n    3-b. Pass sk-B to sk-C\n    3-c. close() the in-flight sk-A\n    3-d. Trigger GC\n\nAs of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices,\nand unix_walk_scc() groups them into two different SCCs:\n\n  unix_sk(sk-A)-\u003evertex-\u003escc_index = 2 (UNIX_VERTEX_INDEX_START)\n  unix_sk(sk-X)-\u003evertex-\u003escc_index = 3\n\nOnce GC completes, unix_graph_grouped is set to true.\nAlso, unix_graph_maybe_cyclic is set to true due to sk-X\u0027s\ncyclic self-reference, which makes close() trigger GC.\n\nAt 3-b, unix_add_edge() allocates unix_sk(sk-B)-\u003evertex and\nlinks it to unix_unvisited_vertices.\n\nunix_update_graph() is called at 3-a. and 3-b., but neither\nunix_graph_grouped nor unix_graph_maybe_cyclic is changed\nbecause both sk-B\u0027s listener and sk-C are not in-flight.\n\n3-c decrements sk-A\u0027s file refcnt to 1.\n\nSince unix_graph_grouped is true at 3-d, unix_walk_scc_fast()\nis finally called and iterates 3 sockets sk-A, sk-B, and sk-X:\n\n  sk-A -\u003e sk-B (-\u003e sk-C)\n  sk-X -\u003e sk-X\n\nThis is totally fine.  All of them are not yet close()d and\nshould be grouped into different SCCs.\n\nHowever, unix_vertex_dead() misjudges that sk-A and sk-B are\nin the same SCC and sk-A is dead.\n\n  unix_sk(sk-A)-\u003escc_index == unix_sk(sk-B)-\u003escc_index \u003c-- Wrong!\n  \u0026\u0026\n  sk-A\u0027s file refcnt == unix_sk(sk-A)-\u003evertex-\u003eout_degree\n                                       ^-- 1 in-flight count for sk-B\n  -\u003e sk-A is dead !?\n\nThe problem is that unix_add_edge() does not initialise scc_index.\n\nStage 1) is used for heap spraying, making a newly allocated\nvertex have vertex-\u003escc_index == 2 (UNIX_VERTEX_INDEX_START)\nset by unix_walk_scc() at 1-c.\n\nLet\u0027s track the max SCC index from the previous unix_walk_scc()\ncall and assign the max + 1 to a new vertex\u0027s scc_index.\n\nThis way, we can continue to avoid Tarjan\u0027s algorithm while\npreventing misjudgments."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:38:44.451Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/20003fbb9174121b27bd1da6ebe61542ac4c327d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cd8d755c7d4f515dd9abf483316aca2f1b7b0f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/db81ad20fd8aef7cc7d536c52ee5ea4c1f979128"
        },
        {
          "url": "https://git.kernel.org/stable/c/1aa7e40ee850c9053e769957ce6541173891204d"
        },
        {
          "url": "https://git.kernel.org/stable/c/60e6489f8e3b086bd1130ad4450a2c112e863791"
        }
      ],
      "title": "af_unix: Initialise scc_index in unix_add_edge().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40214",
    "datePublished": "2025-12-04T12:38:31.601Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2025-12-06T21:38:44.451Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40242 (GCVE-0-2025-40242)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2026-01-02 15:33

Title

gfs2: Fix unlikely race in gdlm_put_lock

Summary

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/279bde3bbb0ac0bad…
	https://git.kernel.org/stable/c/64c61b4ac645222fa…
	https://git.kernel.org/stable/c/28c4d9bc0708956c1…

Impacted products

Vendor

Product

Version

Linux

Affected: d1340f80f0b8066321b499a376780da00560e857 , < 279bde3bbb0ac0bad5c729dfa85983d75a5d7641 (git)
Affected: d1340f80f0b8066321b499a376780da00560e857 , < 64c61b4ac645222fa7b724cef616c1f862a72a40 (git)
Affected: d1340f80f0b8066321b499a376780da00560e857 , < 28c4d9bc0708956c1a736a9e49fee71b65deee81 (git)
Affected: 6aa628c45875e7b8cca81ed9447a12a0e8f3504a (git)
Affected: a97e75203733be0a4263a78fb7b29352be150c1c (git)
Affected: 3554b46204e67333e1fb8be0e93936fb08267c80 (git)
Affected: 5cff77b9827a956d076168b56775aad23bce87e4 (git)
Affected: 8deedce385d220f90e435f534d71d27526273515 (git)
Affected: 2225a5cd2fbc2ef0e0f78e585db3844f60416a39 (git)
Affected: 02e838963fdaa6ce8570b5389aecdc6cf1fb40b0 (git)
Affected: 01eb3106f43335fdc02111358dae80a5c3fd324d (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/gfs2/lock_dlm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "279bde3bbb0ac0bad5c729dfa85983d75a5d7641",
              "status": "affected",
              "version": "d1340f80f0b8066321b499a376780da00560e857",
              "versionType": "git"
            },
            {
              "lessThan": "64c61b4ac645222fa7b724cef616c1f862a72a40",
              "status": "affected",
              "version": "d1340f80f0b8066321b499a376780da00560e857",
              "versionType": "git"
            },
            {
              "lessThan": "28c4d9bc0708956c1a736a9e49fee71b65deee81",
              "status": "affected",
              "version": "d1340f80f0b8066321b499a376780da00560e857",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6aa628c45875e7b8cca81ed9447a12a0e8f3504a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a97e75203733be0a4263a78fb7b29352be150c1c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3554b46204e67333e1fb8be0e93936fb08267c80",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5cff77b9827a956d076168b56775aad23bce87e4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8deedce385d220f90e435f534d71d27526273515",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2225a5cd2fbc2ef0e0f78e585db3844f60416a39",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "02e838963fdaa6ce8570b5389aecdc6cf1fb40b0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "01eb3106f43335fdc02111358dae80a5c3fd324d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/gfs2/lock_dlm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.284",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.283",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.247",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.207",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.148",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.67",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.13.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.14.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix unlikely race in gdlm_put_lock\n\nIn gdlm_put_lock(), there is a small window of time in which the\nDFL_UNMOUNT flag has been set but the lockspace hasn\u0027t been released,\nyet.  In that window, dlm may still call gdlm_ast() and gdlm_bast().\nTo prevent it from dereferencing freed glock objects, only free the\nglock if the lockspace has actually been released."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:11.131Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/279bde3bbb0ac0bad5c729dfa85983d75a5d7641"
        },
        {
          "url": "https://git.kernel.org/stable/c/64c61b4ac645222fa7b724cef616c1f862a72a40"
        },
        {
          "url": "https://git.kernel.org/stable/c/28c4d9bc0708956c1a736a9e49fee71b65deee81"
        }
      ],
      "title": "gfs2: Fix unlikely race in gdlm_put_lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40242",
    "datePublished": "2025-12-04T15:31:31.497Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2026-01-02T15:33:11.131Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40254 (GCVE-0-2025-40254)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38

Title

net: openvswitch: remove never-working support for setting nsh fields

Summary

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: remove never-working support for setting nsh fields The validation of the set(nsh(...)) action is completely wrong. It runs through the nsh_key_put_from_nlattr() function that is the same function that validates NSH keys for the flow match and the push_nsh() action. However, the set(nsh(...)) has a very different memory layout. Nested attributes in there are doubled in size in case of the masked set(). That makes proper validation impossible. There is also confusion in the code between the 'masked' flag, that says that the nested attributes are doubled in size containing both the value and the mask, and the 'is_mask' that says that the value we're parsing is the mask. This is causing kernel crash on trying to write into mask part of the match with SW_FLOW_KEY_PUT() during validation, while validate_nsh() doesn't allocate any memory for it: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] Call Trace: <TASK> validate_nsh+0x60/0x90 [openvswitch] validate_set.constprop.0+0x270/0x3c0 [openvswitch] __ovs_nla_copy_actions+0x477/0x860 [openvswitch] ovs_nla_copy_actions+0x8d/0x100 [openvswitch] ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] genl_family_rcv_msg_doit+0xdb/0x130 genl_family_rcv_msg+0x14b/0x220 genl_rcv_msg+0x47/0xa0 netlink_rcv_skb+0x53/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x280/0x3b0 netlink_sendmsg+0x1f7/0x430 ____sys_sendmsg+0x36b/0x3a0 ___sys_sendmsg+0x87/0xd0 __sys_sendmsg+0x6d/0xd0 do_syscall_64+0x7b/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The third issue with this process is that while trying to convert the non-masked set into masked one, validate_set() copies and doubles the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested attributes. It should be copying each nested attribute and doubling them in size independently. And the process must be properly reversed during the conversion back from masked to a non-masked variant during the flow dump. In the end, the only two outcomes of trying to use this action are either validation failure or a kernel crash. And if somehow someone manages to install a flow with such an action, it will most definitely not do what it is supposed to, since all the keys and the masks are mixed up. Fixing all the issues is a complex task as it requires re-writing most of the validation code. Given that and the fact that this functionality never worked since introduction, let's just remove it altogether. It's better to re-introduce it later with a proper implementation instead of trying to fix it in stable releases.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3415faa1fcb4150f2…
	https://git.kernel.org/stable/c/3d2e7d3b28469081c…
	https://git.kernel.org/stable/c/f95bef5ba0b88d971…
	https://git.kernel.org/stable/c/87d2429381ddcf8cb…
	https://git.kernel.org/stable/c/0b903f33c31c82b1c…
	https://git.kernel.org/stable/c/9c61d8fe1350b7322…
	https://git.kernel.org/stable/c/4689ba45296dbb3a4…
	https://git.kernel.org/stable/c/dfe28c4167a9259fc…

Impacted products

Vendor

Product

Version

Linux

Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 3415faa1fcb4150f29a72c5ecf959339d797feb7 (git)
Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 3d2e7d3b28469081ccf08301df07cc411a1cc5e9 (git)
Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < f95bef5ba0b88d971b02c776f24bd17544930a3a (git)
Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 87d2429381ddcf8cbd30c8c36793a4f7916d5f99 (git)
Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 0b903f33c31c82b1c3591279fd8a23893802b987 (git)
Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 9c61d8fe1350b7322f4953318165d6719c3b1475 (git)
Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < 4689ba45296dbb3a47e70a1bc2ed0328263e48f3 (git)
Affected: b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3 , < dfe28c4167a9259fc0c372d9f9473e1ac95cff67 (git)

Linux

Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/actions.c",
            "net/openvswitch/flow_netlink.c",
            "net/openvswitch/flow_netlink.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3415faa1fcb4150f29a72c5ecf959339d797feb7",
              "status": "affected",
              "version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
              "versionType": "git"
            },
            {
              "lessThan": "3d2e7d3b28469081ccf08301df07cc411a1cc5e9",
              "status": "affected",
              "version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
              "versionType": "git"
            },
            {
              "lessThan": "f95bef5ba0b88d971b02c776f24bd17544930a3a",
              "status": "affected",
              "version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
              "versionType": "git"
            },
            {
              "lessThan": "87d2429381ddcf8cbd30c8c36793a4f7916d5f99",
              "status": "affected",
              "version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
              "versionType": "git"
            },
            {
              "lessThan": "0b903f33c31c82b1c3591279fd8a23893802b987",
              "status": "affected",
              "version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
              "versionType": "git"
            },
            {
              "lessThan": "9c61d8fe1350b7322f4953318165d6719c3b1475",
              "status": "affected",
              "version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
              "versionType": "git"
            },
            {
              "lessThan": "4689ba45296dbb3a47e70a1bc2ed0328263e48f3",
              "status": "affected",
              "version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
              "versionType": "git"
            },
            {
              "lessThan": "dfe28c4167a9259fc0c372d9f9473e1ac95cff67",
              "status": "affected",
              "version": "b2d0f5d5dc53532e6f07bc546a476a55ebdfe0f3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/openvswitch/actions.c",
            "net/openvswitch/flow_netlink.c",
            "net/openvswitch/flow_netlink.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: remove never-working support for setting nsh fields\n\nThe validation of the set(nsh(...)) action is completely wrong.\nIt runs through the nsh_key_put_from_nlattr() function that is the\nsame function that validates NSH keys for the flow match and the\npush_nsh() action.  However, the set(nsh(...)) has a very different\nmemory layout.  Nested attributes in there are doubled in size in\ncase of the masked set().  That makes proper validation impossible.\n\nThere is also confusion in the code between the \u0027masked\u0027 flag, that\nsays that the nested attributes are doubled in size containing both\nthe value and the mask, and the \u0027is_mask\u0027 that says that the value\nwe\u0027re parsing is the mask.  This is causing kernel crash on trying to\nwrite into mask part of the match with SW_FLOW_KEY_PUT() during\nvalidation, while validate_nsh() doesn\u0027t allocate any memory for it:\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000018\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0\n  Oops: Oops: 0000 [#1] SMP NOPTI\n  CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary)\n  RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch]\n  Call Trace:\n   \u003cTASK\u003e\n   validate_nsh+0x60/0x90 [openvswitch]\n   validate_set.constprop.0+0x270/0x3c0 [openvswitch]\n   __ovs_nla_copy_actions+0x477/0x860 [openvswitch]\n   ovs_nla_copy_actions+0x8d/0x100 [openvswitch]\n   ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch]\n   genl_family_rcv_msg_doit+0xdb/0x130\n   genl_family_rcv_msg+0x14b/0x220\n   genl_rcv_msg+0x47/0xa0\n   netlink_rcv_skb+0x53/0x100\n   genl_rcv+0x24/0x40\n   netlink_unicast+0x280/0x3b0\n   netlink_sendmsg+0x1f7/0x430\n   ____sys_sendmsg+0x36b/0x3a0\n   ___sys_sendmsg+0x87/0xd0\n   __sys_sendmsg+0x6d/0xd0\n   do_syscall_64+0x7b/0x2c0\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nThe third issue with this process is that while trying to convert\nthe non-masked set into masked one, validate_set() copies and doubles\nthe size of the OVS_KEY_ATTR_NSH as if it didn\u0027t have any nested\nattributes.  It should be copying each nested attribute and doubling\nthem in size independently.  And the process must be properly reversed\nduring the conversion back from masked to a non-masked variant during\nthe flow dump.\n\nIn the end, the only two outcomes of trying to use this action are\neither validation failure or a kernel crash.  And if somehow someone\nmanages to install a flow with such an action, it will most definitely\nnot do what it is supposed to, since all the keys and the masks are\nmixed up.\n\nFixing all the issues is a complex task as it requires re-writing\nmost of the validation code.\n\nGiven that and the fact that this functionality never worked since\nintroduction, let\u0027s just remove it altogether.  It\u0027s better to\nre-introduce it later with a proper implementation instead of trying\nto fix it in stable releases."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:38:52.361Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3415faa1fcb4150f29a72c5ecf959339d797feb7"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d2e7d3b28469081ccf08301df07cc411a1cc5e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f95bef5ba0b88d971b02c776f24bd17544930a3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/87d2429381ddcf8cbd30c8c36793a4f7916d5f99"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b903f33c31c82b1c3591279fd8a23893802b987"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c61d8fe1350b7322f4953318165d6719c3b1475"
        },
        {
          "url": "https://git.kernel.org/stable/c/4689ba45296dbb3a47e70a1bc2ed0328263e48f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfe28c4167a9259fc0c372d9f9473e1ac95cff67"
        }
      ],
      "title": "net: openvswitch: remove never-working support for setting nsh fields",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40254",
    "datePublished": "2025-12-04T16:08:16.305Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-06T21:38:52.361Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40276 (GCVE-0-2025-40276)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-01-08 09:50

Title

drm/panthor: Flush shmem writes before mapping buffers CPU-uncached

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Flush shmem writes before mapping buffers CPU-uncached The shmem layer zeroes out the new pages using cached mappings, and if we don't CPU-flush we might leave dirty cachelines behind, leading to potential data leaks and/or asynchronous buffer corruption when dirty cachelines are evicted.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8355eea2a2e9c3230…
	https://git.kernel.org/stable/c/7a12f9c96d06b1455…
	https://git.kernel.org/stable/c/576c930e5e7dcb937…

Impacted products

Vendor

Product

Version

Linux

Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 8355eea2a2e9c323021dfdcb95d7767d382123c4 (git)
Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 7a12f9c96d06b145562f76ffb20369b4692f0911 (git)
Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 576c930e5e7dcb937648490611a83f1bf0171048 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panthor/panthor_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8355eea2a2e9c323021dfdcb95d7767d382123c4",
              "status": "affected",
              "version": "8a1cc07578bf42d85f008316873d710ff684dd29",
              "versionType": "git"
            },
            {
              "lessThan": "7a12f9c96d06b145562f76ffb20369b4692f0911",
              "status": "affected",
              "version": "8a1cc07578bf42d85f008316873d710ff684dd29",
              "versionType": "git"
            },
            {
              "lessThan": "576c930e5e7dcb937648490611a83f1bf0171048",
              "status": "affected",
              "version": "8a1cc07578bf42d85f008316873d710ff684dd29",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panthor/panthor_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Flush shmem writes before mapping buffers CPU-uncached\n\nThe shmem layer zeroes out the new pages using cached mappings, and if\nwe don\u0027t CPU-flush we might leave dirty cachelines behind, leading to\npotential data leaks and/or asynchronous buffer corruption when dirty\ncachelines are evicted."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-08T09:50:20.169Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8355eea2a2e9c323021dfdcb95d7767d382123c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a12f9c96d06b145562f76ffb20369b4692f0911"
        },
        {
          "url": "https://git.kernel.org/stable/c/576c930e5e7dcb937648490611a83f1bf0171048"
        }
      ],
      "title": "drm/panthor: Flush shmem writes before mapping buffers CPU-uncached",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40276",
    "datePublished": "2025-12-06T21:50:59.035Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2026-01-08T09:50:20.169Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68740 (GCVE-0-2025-68740)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-01-19 12:18

Title

ima: Handle error code returned by ima_filter_rule_match()

Summary

In the Linux kernel, the following vulnerability has been resolved: ima: Handle error code returned by ima_filter_rule_match() In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if (!rc)' check and sets 'result = true'. The LSM rule is considered a match, causing extra files to be measured by IMA. This issue can be reproduced in the following scenario: After unloading the SELinux policy module via 'semodule -d', if an IMA measurement is triggered before ima_lsm_rules is updated, in ima_match_rules(), the first call to ima_filter_rule_match() returns -ESTALE. This causes the code to enter the 'if (rc == -ESTALE && !rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In ima_lsm_copy_rule(), since the SELinux module has been removed, the rule becomes NULL, and the second call to ima_filter_rule_match() returns -ENOENT. This bypasses the 'if (!rc)' check and results in a false match. Call trace: selinux_audit_rule_match+0x310/0x3b8 security_audit_rule_match+0x60/0xa0 ima_match_rules+0x2e4/0x4a0 ima_match_policy+0x9c/0x1e8 ima_get_action+0x48/0x60 process_measurement+0xf8/0xa98 ima_bprm_check+0x98/0xd8 security_bprm_check+0x5c/0x78 search_binary_handler+0x6c/0x318 exec_binprm+0x58/0x1b8 bprm_execve+0xb8/0x130 do_execveat_common.isra.0+0x1a8/0x258 __arm64_sys_execve+0x48/0x68 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x44/0x200 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x3c8/0x3d0 Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error codes like -ENOENT do not bypass the check and accidentally result in a successful match.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d14e0ec6a6828ee0d…
	https://git.kernel.org/stable/c/f2f4627b74c120fcd…
	https://git.kernel.org/stable/c/88cd5fbf5869731be…
	https://git.kernel.org/stable/c/cca3e7df3c0f99542…
	https://git.kernel.org/stable/c/c2238d487a640ae35…
	https://git.kernel.org/stable/c/de4431faf308d0c53…
	https://git.kernel.org/stable/c/32952c4f4d1b2deb3…
	https://git.kernel.org/stable/c/738c9738e690f5cea…

Impacted products

Vendor

Product

Version

Linux

Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51 (git)
Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85 (git)
Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749 (git)
Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < cca3e7df3c0f99542033657ba850b9a6d27f8784 (git)
Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < c2238d487a640ae3511e1b6f4640ab27ce10d7f6 (git)
Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < de4431faf308d0c533cb386f5fa9af009bc86158 (git)
Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 32952c4f4d1b2deb30dce72ba109da808a9018e1 (git)
Affected: 4af4662fa4a9dc62289c580337ae2506339c4729 , < 738c9738e690f5cea24a3ad6fd2d9a323cf614f6 (git)

Linux

Affected: 2.6.30
Unaffected: 0 , < 2.6.30 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/integrity/ima/ima_policy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51",
              "status": "affected",
              "version": "4af4662fa4a9dc62289c580337ae2506339c4729",
              "versionType": "git"
            },
            {
              "lessThan": "f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85",
              "status": "affected",
              "version": "4af4662fa4a9dc62289c580337ae2506339c4729",
              "versionType": "git"
            },
            {
              "lessThan": "88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749",
              "status": "affected",
              "version": "4af4662fa4a9dc62289c580337ae2506339c4729",
              "versionType": "git"
            },
            {
              "lessThan": "cca3e7df3c0f99542033657ba850b9a6d27f8784",
              "status": "affected",
              "version": "4af4662fa4a9dc62289c580337ae2506339c4729",
              "versionType": "git"
            },
            {
              "lessThan": "c2238d487a640ae3511e1b6f4640ab27ce10d7f6",
              "status": "affected",
              "version": "4af4662fa4a9dc62289c580337ae2506339c4729",
              "versionType": "git"
            },
            {
              "lessThan": "de4431faf308d0c533cb386f5fa9af009bc86158",
              "status": "affected",
              "version": "4af4662fa4a9dc62289c580337ae2506339c4729",
              "versionType": "git"
            },
            {
              "lessThan": "32952c4f4d1b2deb30dce72ba109da808a9018e1",
              "status": "affected",
              "version": "4af4662fa4a9dc62289c580337ae2506339c4729",
              "versionType": "git"
            },
            {
              "lessThan": "738c9738e690f5cea24a3ad6fd2d9a323cf614f6",
              "status": "affected",
              "version": "4af4662fa4a9dc62289c580337ae2506339c4729",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/integrity/ima/ima_policy.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: Handle error code returned by ima_filter_rule_match()\n\nIn ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to\nthe rule being NULL, the function incorrectly skips the \u0027if (!rc)\u0027 check\nand sets \u0027result = true\u0027. The LSM rule is considered a match, causing\nextra files to be measured by IMA.\n\nThis issue can be reproduced in the following scenario:\nAfter unloading the SELinux policy module via \u0027semodule -d\u0027, if an IMA\nmeasurement is triggered before ima_lsm_rules is updated,\nin ima_match_rules(), the first call to ima_filter_rule_match() returns\n-ESTALE. This causes the code to enter the \u0027if (rc == -ESTALE \u0026\u0026\n!rule_reinitialized)\u0027 block, perform ima_lsm_copy_rule() and retry. In\nima_lsm_copy_rule(), since the SELinux module has been removed, the rule\nbecomes NULL, and the second call to ima_filter_rule_match() returns\n-ENOENT. This bypasses the \u0027if (!rc)\u0027 check and results in a false match.\n\nCall trace:\n  selinux_audit_rule_match+0x310/0x3b8\n  security_audit_rule_match+0x60/0xa0\n  ima_match_rules+0x2e4/0x4a0\n  ima_match_policy+0x9c/0x1e8\n  ima_get_action+0x48/0x60\n  process_measurement+0xf8/0xa98\n  ima_bprm_check+0x98/0xd8\n  security_bprm_check+0x5c/0x78\n  search_binary_handler+0x6c/0x318\n  exec_binprm+0x58/0x1b8\n  bprm_execve+0xb8/0x130\n  do_execveat_common.isra.0+0x1a8/0x258\n  __arm64_sys_execve+0x48/0x68\n  invoke_syscall+0x50/0x128\n  el0_svc_common.constprop.0+0xc8/0xf0\n  do_el0_svc+0x24/0x38\n  el0_svc+0x44/0x200\n  el0t_64_sync_handler+0x100/0x130\n  el0t_64_sync+0x3c8/0x3d0\n\nFix this by changing \u0027if (!rc)\u0027 to \u0027if (rc \u003c= 0)\u0027 to ensure that error\ncodes like -ENOENT do not bypass the check and accidentally result in a\nsuccessful match."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:41.479Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d14e0ec6a6828ee0dffa163fb5d513c9a21f0a51"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2f4627b74c120fcdd8e1db93bc91f9bbaf46f85"
        },
        {
          "url": "https://git.kernel.org/stable/c/88cd5fbf5869731be8fc6f7cecb4e0d6ab3d8749"
        },
        {
          "url": "https://git.kernel.org/stable/c/cca3e7df3c0f99542033657ba850b9a6d27f8784"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2238d487a640ae3511e1b6f4640ab27ce10d7f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/de4431faf308d0c533cb386f5fa9af009bc86158"
        },
        {
          "url": "https://git.kernel.org/stable/c/32952c4f4d1b2deb30dce72ba109da808a9018e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/738c9738e690f5cea24a3ad6fd2d9a323cf614f6"
        }
      ],
      "title": "ima: Handle error code returned by ima_filter_rule_match()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68740",
    "datePublished": "2025-12-24T12:09:37.971Z",
    "dateReserved": "2025-12-24T10:30:51.030Z",
    "dateUpdated": "2026-01-19T12:18:41.479Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68176 (GCVE-0-2025-68176)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2026-01-02 15:34

Title

PCI: cadence: Check for the existence of cdns_pcie::ops before using it

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d5dbe92ac8a4ca622…
	https://git.kernel.org/stable/c/eb3d29ca0820fa3d7…
	https://git.kernel.org/stable/c/0d0bb756f002810d2…
	https://git.kernel.org/stable/c/1810b2fd7375de88a…
	https://git.kernel.org/stable/c/953eb3796ef06b8ea…
	https://git.kernel.org/stable/c/363448d069e29685c…
	https://git.kernel.org/stable/c/49a6c160ad4812476…

Impacted products

Vendor

Product

Version

Linux

Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1 (git)
Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed (git)
Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 0d0bb756f002810d249caee51f3f1c309f3cdab5 (git)
Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 1810b2fd7375de88a74976dcd402b29088e479ed (git)
Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 953eb3796ef06b8ea3bf6bdde14156255bc75866 (git)
Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 363448d069e29685ca37a118065121e486387af3 (git)
Affected: 40d957e6f9eb3a8a585007b8b730340c829afbdb , < 49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09 (git)

Linux

Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/cadence/pcie-cadence-host.c",
            "drivers/pci/controller/cadence/pcie-cadence.c",
            "drivers/pci/controller/cadence/pcie-cadence.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1",
              "status": "affected",
              "version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
              "versionType": "git"
            },
            {
              "lessThan": "eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed",
              "status": "affected",
              "version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
              "versionType": "git"
            },
            {
              "lessThan": "0d0bb756f002810d249caee51f3f1c309f3cdab5",
              "status": "affected",
              "version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
              "versionType": "git"
            },
            {
              "lessThan": "1810b2fd7375de88a74976dcd402b29088e479ed",
              "status": "affected",
              "version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
              "versionType": "git"
            },
            {
              "lessThan": "953eb3796ef06b8ea3bf6bdde14156255bc75866",
              "status": "affected",
              "version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
              "versionType": "git"
            },
            {
              "lessThan": "363448d069e29685ca37a118065121e486387af3",
              "status": "affected",
              "version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
              "versionType": "git"
            },
            {
              "lessThan": "49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09",
              "status": "affected",
              "version": "40d957e6f9eb3a8a585007b8b730340c829afbdb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/cadence/pcie-cadence-host.c",
            "drivers/pci/controller/cadence/pcie-cadence.c",
            "drivers/pci/controller/cadence/pcie-cadence.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: cadence: Check for the existence of cdns_pcie::ops before using it\n\ncdns_pcie::ops might not be populated by all the Cadence glue drivers. This\nis going to be true for the upcoming Sophgo platform which doesn\u0027t set the\nops.\n\nHence, add a check to prevent NULL pointer dereference.\n\n[mani: reworded subject and description]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:04.730Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d5dbe92ac8a4ca6226093241f95f9cb1b0d2e0e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb3d29ca0820fa3d7cccad47d2da56c9ab5469ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d0bb756f002810d249caee51f3f1c309f3cdab5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1810b2fd7375de88a74976dcd402b29088e479ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/953eb3796ef06b8ea3bf6bdde14156255bc75866"
        },
        {
          "url": "https://git.kernel.org/stable/c/363448d069e29685ca37a118065121e486387af3"
        },
        {
          "url": "https://git.kernel.org/stable/c/49a6c160ad4812476f8ae1a8f4ed6d15adfa6c09"
        }
      ],
      "title": "PCI: cadence: Check for the existence of cdns_pcie::ops before using it",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68176",
    "datePublished": "2025-12-16T13:42:55.616Z",
    "dateReserved": "2025-12-16T13:41:40.251Z",
    "dateUpdated": "2026-01-02T15:34:04.730Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50630 (GCVE-0-2022-50630)

Vulnerability from cvelistv5 – Published: 2025-12-08 01:16 – Updated: 2025-12-08 01:16

Title

mm: hugetlb: fix UAF in hugetlb_handle_userfault

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: fix UAF in hugetlb_handle_userfault The vma_lock and hugetlb_fault_mutex are dropped before handling userfault and reacquire them again after handle_userfault(), but reacquire the vma_lock could lead to UAF[1,2] due to the following race, hugetlb_fault hugetlb_no_page /*unlock vma_lock */ hugetlb_handle_userfault handle_userfault /* unlock mm->mmap_lock*/ vm_mmap_pgoff do_mmap mmap_region munmap_vma_range /* clean old vma */ /* lock vma_lock again <--- UAF */ /* unlock vma_lock */ Since the vma_lock will unlock immediately after hugetlb_handle_userfault(), let's drop the unneeded lock and unlock in hugetlb_handle_userfault() to fix the issue. [1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/ [2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/45c33966759ea1b40…
	https://git.kernel.org/stable/c/0db2efb3bff879566…
	https://git.kernel.org/stable/c/dd691973f67b2800a…
	https://git.kernel.org/stable/c/78504bcedb2f1bbfb…
	https://git.kernel.org/stable/c/958f32ce832ba781a…

Impacted products

Vendor

Product

Version

Linux

Affected: 1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45 , < 45c33966759ea1b4040c08dacda99ef623c0ca29 (git)
Affected: 1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45 , < 0db2efb3bff879566f05341d94c3de00ac95c4cc (git)
Affected: 1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45 , < dd691973f67b2800a97db723b1ff6f07fdcf7f5a (git)
Affected: 1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45 , < 78504bcedb2f1bbfb353b4d233c24d641c4dda33 (git)
Affected: 1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45 , < 958f32ce832ba781ac20e11bb2d12a9352ea28fc (git)

Linux

Affected: 4.11
Unaffected: 0 , < 4.11 (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "45c33966759ea1b4040c08dacda99ef623c0ca29",
              "status": "affected",
              "version": "1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45",
              "versionType": "git"
            },
            {
              "lessThan": "0db2efb3bff879566f05341d94c3de00ac95c4cc",
              "status": "affected",
              "version": "1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45",
              "versionType": "git"
            },
            {
              "lessThan": "dd691973f67b2800a97db723b1ff6f07fdcf7f5a",
              "status": "affected",
              "version": "1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45",
              "versionType": "git"
            },
            {
              "lessThan": "78504bcedb2f1bbfb353b4d233c24d641c4dda33",
              "status": "affected",
              "version": "1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45",
              "versionType": "git"
            },
            {
              "lessThan": "958f32ce832ba781ac20e11bb2d12a9352ea28fc",
              "status": "affected",
              "version": "1a1aad8a9b7bd34f60cdf98cd7915f00ae892c45",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/hugetlb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: hugetlb: fix UAF in hugetlb_handle_userfault\n\nThe vma_lock and hugetlb_fault_mutex are dropped before handling userfault\nand reacquire them again after handle_userfault(), but reacquire the\nvma_lock could lead to UAF[1,2] due to the following race,\n\nhugetlb_fault\n  hugetlb_no_page\n    /*unlock vma_lock */\n    hugetlb_handle_userfault\n      handle_userfault\n        /* unlock mm-\u003emmap_lock*/\n                                           vm_mmap_pgoff\n                                             do_mmap\n                                               mmap_region\n                                                 munmap_vma_range\n                                                   /* clean old vma */\n        /* lock vma_lock again  \u003c--- UAF */\n    /* unlock vma_lock */\n\nSince the vma_lock will unlock immediately after\nhugetlb_handle_userfault(), let\u0027s drop the unneeded lock and unlock in\nhugetlb_handle_userfault() to fix the issue.\n\n[1] https://lore.kernel.org/linux-mm/000000000000d5e00a05e834962e@google.com/\n[2] https://lore.kernel.org/linux-mm/20220921014457.1668-1-liuzixian4@huawei.com/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T01:16:45.555Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/45c33966759ea1b4040c08dacda99ef623c0ca29"
        },
        {
          "url": "https://git.kernel.org/stable/c/0db2efb3bff879566f05341d94c3de00ac95c4cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd691973f67b2800a97db723b1ff6f07fdcf7f5a"
        },
        {
          "url": "https://git.kernel.org/stable/c/78504bcedb2f1bbfb353b4d233c24d641c4dda33"
        },
        {
          "url": "https://git.kernel.org/stable/c/958f32ce832ba781ac20e11bb2d12a9352ea28fc"
        }
      ],
      "title": "mm: hugetlb: fix UAF in hugetlb_handle_userfault",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50630",
    "datePublished": "2025-12-08T01:16:45.555Z",
    "dateReserved": "2025-12-08T01:14:55.192Z",
    "dateUpdated": "2025-12-08T01:16:45.555Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40263 (GCVE-0-2025-40263)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2026-01-02 15:33

Title

Input: cros_ec_keyb - fix an invalid memory access

Summary

In the Linux kernel, the following vulnerability has been resolved: Input: cros_ec_keyb - fix an invalid memory access If cros_ec_keyb_register_matrix() isn't called (due to `buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains NULL. An invalid memory access is observed in cros_ec_keyb_process() when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work() in such case. Unable to handle kernel read from unreadable memory at virtual address 0000000000000028 ... x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: input_event cros_ec_keyb_work blocking_notifier_call_chain ec_irq_thread It's still unknown about why the kernel receives such malformed event, in any cases, the kernel shouldn't access `ckdev->idev` and friends if the driver doesn't intend to initialize them.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d74864291cb8bd784…
	https://git.kernel.org/stable/c/9cf59f4724a9ee06e…
	https://git.kernel.org/stable/c/6d81068685154535a…
	https://git.kernel.org/stable/c/2d251c15c27e2dd16…
	https://git.kernel.org/stable/c/e08969c4d65ac3129…

Impacted products

Vendor

Product

Version

Linux

Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < d74864291cb8bd784d44d1d02e87109cf88666bb (git)
Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < 9cf59f4724a9ee06ebb06c76b8678ac322e850b7 (git)
Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < 6d81068685154535af06163eb585d6d9663ec7ec (git)
Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < 2d251c15c27e2dd16d6318425d2f7260cbd47d39 (git)
Affected: ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0 , < e08969c4d65ac31297fcb4d31d4808c789152f68 (git)

Linux

Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/input/keyboard/cros_ec_keyb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d74864291cb8bd784d44d1d02e87109cf88666bb",
              "status": "affected",
              "version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
              "versionType": "git"
            },
            {
              "lessThan": "9cf59f4724a9ee06ebb06c76b8678ac322e850b7",
              "status": "affected",
              "version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
              "versionType": "git"
            },
            {
              "lessThan": "6d81068685154535af06163eb585d6d9663ec7ec",
              "status": "affected",
              "version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
              "versionType": "git"
            },
            {
              "lessThan": "2d251c15c27e2dd16d6318425d2f7260cbd47d39",
              "status": "affected",
              "version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
              "versionType": "git"
            },
            {
              "lessThan": "e08969c4d65ac31297fcb4d31d4808c789152f68",
              "status": "affected",
              "version": "ca1eadbfcd36bec73f2a2111c28e8c7e9e8ae6c0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/input/keyboard/cros_ec_keyb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: cros_ec_keyb - fix an invalid memory access\n\nIf cros_ec_keyb_register_matrix() isn\u0027t called (due to\n`buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev-\u003eidev` remains\nNULL.  An invalid memory access is observed in cros_ec_keyb_process()\nwhen receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work()\nin such case.\n\n  Unable to handle kernel read from unreadable memory at virtual address 0000000000000028\n  ...\n  x3 : 0000000000000000 x2 : 0000000000000000\n  x1 : 0000000000000000 x0 : 0000000000000000\n  Call trace:\n  input_event\n  cros_ec_keyb_work\n  blocking_notifier_call_chain\n  ec_irq_thread\n\nIt\u0027s still unknown about why the kernel receives such malformed event,\nin any cases, the kernel shouldn\u0027t access `ckdev-\u003eidev` and friends if\nthe driver doesn\u0027t intend to initialize them."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:17.342Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d74864291cb8bd784d44d1d02e87109cf88666bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cf59f4724a9ee06ebb06c76b8678ac322e850b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d81068685154535af06163eb585d6d9663ec7ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d251c15c27e2dd16d6318425d2f7260cbd47d39"
        },
        {
          "url": "https://git.kernel.org/stable/c/e08969c4d65ac31297fcb4d31d4808c789152f68"
        }
      ],
      "title": "Input: cros_ec_keyb - fix an invalid memory access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40263",
    "datePublished": "2025-12-04T16:08:23.327Z",
    "dateReserved": "2025-04-16T07:20:57.182Z",
    "dateUpdated": "2026-01-02T15:33:17.342Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40362 (GCVE-0-2025-40362)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:40 – Updated: 2026-01-02 15:33

Title

ceph: fix multifs mds auth caps issue

Summary

In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, following is one such example. Steps to Reproduce (on vstart cluster): 1. Create two file systems in a cluster, say 'fsname1' and 'fsname2' 2. Authorize read only permission to the user 'client.usr' on fs 'fsname1' $ceph fs authorize fsname1 client.usr / r 3. Authorize read and write permission to the same user 'client.usr' on fs 'fsname2' $ceph fs authorize fsname2 client.usr / rw 4. Update the keyring $ceph auth get client.usr >> ./keyring With above permssions for the user 'client.usr', following is the expectation. a. The 'client.usr' should be able to only read the contents and not allowed to create or delete files on file system 'fsname1'. b. The 'client.usr' should be able to read/write on file system 'fsname2'. But, with this bug, the 'client.usr' is allowed to read/write on file system 'fsname1'. See below. 5. Mount the file system 'fsname1' with the user 'client.usr' $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/ 6. Try creating a file on file system 'fsname1' with user 'client.usr'. This should fail but passes with this bug. $touch /kmnt_fsname1_usr/file1 7. Mount the file system 'fsname1' with the user 'client.admin' and create a file. $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin $echo "data" > /kmnt_fsname1_admin/admin_file1 8. Try removing an existing file on file system 'fsname1' with the user 'client.usr'. This shoudn't succeed but succeeds with the bug. $rm -f /kmnt_fsname1_usr/admin_file1 For more information, please take a look at the corresponding mds/fuse patch and tests added by looking into the tracker mentioned below. v2: Fix a possible null dereference in doutc v3: Don't store fsname from mdsmap, validate against ceph_mount_options's fsname and use it v4: Code refactor, better warning message and fix possible compiler warning [ Slava.Dubeyko: "fsname check failed" -> "fsname mismatch" ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/07640d34a781bb2e3…
	https://git.kernel.org/stable/c/ca3da8b27ab9a0923…
	https://git.kernel.org/stable/c/22c73d52a6d05c5a2…

Impacted products

Vendor

Product

Version

Linux

Affected: 596afb0b8933ba6ed7227adcc538db26feb25c74 , < 07640d34a781bb2e39020a39137073c03c4aa932 (git)
Affected: 596afb0b8933ba6ed7227adcc538db26feb25c74 , < ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523 (git)
Affected: 596afb0b8933ba6ed7227adcc538db26feb25c74 , < 22c73d52a6d05c5a2053385c0d6cd9984732799d (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ceph/mds_client.c",
            "fs/ceph/mdsmap.c",
            "fs/ceph/super.c",
            "fs/ceph/super.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "07640d34a781bb2e39020a39137073c03c4aa932",
              "status": "affected",
              "version": "596afb0b8933ba6ed7227adcc538db26feb25c74",
              "versionType": "git"
            },
            {
              "lessThan": "ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523",
              "status": "affected",
              "version": "596afb0b8933ba6ed7227adcc538db26feb25c74",
              "versionType": "git"
            },
            {
              "lessThan": "22c73d52a6d05c5a2053385c0d6cd9984732799d",
              "status": "affected",
              "version": "596afb0b8933ba6ed7227adcc538db26feb25c74",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ceph/mds_client.c",
            "fs/ceph/mdsmap.c",
            "fs/ceph/super.c",
            "fs/ceph/super.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix multifs mds auth caps issue\n\nThe mds auth caps check should also validate the\nfsname along with the associated caps. Not doing\nso would result in applying the mds auth caps of\none fs on to the other fs in a multifs ceph cluster.\nThe bug causes multiple issues w.r.t user\nauthentication, following is one such example.\n\nSteps to Reproduce (on vstart cluster):\n1. Create two file systems in a cluster, say \u0027fsname1\u0027 and \u0027fsname2\u0027\n2. Authorize read only permission to the user \u0027client.usr\u0027 on fs \u0027fsname1\u0027\n    $ceph fs authorize fsname1 client.usr / r\n3. Authorize read and write permission to the same user \u0027client.usr\u0027 on fs \u0027fsname2\u0027\n    $ceph fs authorize fsname2 client.usr / rw\n4. Update the keyring\n    $ceph auth get client.usr \u003e\u003e ./keyring\n\nWith above permssions for the user \u0027client.usr\u0027, following is the\nexpectation.\n  a. The \u0027client.usr\u0027 should be able to only read the contents\n     and not allowed to create or delete files on file system \u0027fsname1\u0027.\n  b. The \u0027client.usr\u0027 should be able to read/write on file system \u0027fsname2\u0027.\n\nBut, with this bug, the \u0027client.usr\u0027 is allowed to read/write on file\nsystem \u0027fsname1\u0027. See below.\n\n5. Mount the file system \u0027fsname1\u0027 with the user \u0027client.usr\u0027\n     $sudo bin/mount.ceph usr@.fsname1=/ /kmnt_fsname1_usr/\n6. Try creating a file on file system \u0027fsname1\u0027 with user \u0027client.usr\u0027. This\n   should fail but passes with this bug.\n     $touch /kmnt_fsname1_usr/file1\n7. Mount the file system \u0027fsname1\u0027 with the user \u0027client.admin\u0027 and create a\n   file.\n     $sudo bin/mount.ceph admin@.fsname1=/ /kmnt_fsname1_admin\n     $echo \"data\" \u003e /kmnt_fsname1_admin/admin_file1\n8. Try removing an existing file on file system \u0027fsname1\u0027 with the user\n   \u0027client.usr\u0027. This shoudn\u0027t succeed but succeeds with the bug.\n     $rm -f /kmnt_fsname1_usr/admin_file1\n\nFor more information, please take a look at the corresponding mds/fuse patch\nand tests added by looking into the tracker mentioned below.\n\nv2: Fix a possible null dereference in doutc\nv3: Don\u0027t store fsname from mdsmap, validate against\n    ceph_mount_options\u0027s fsname and use it\nv4: Code refactor, better warning message and\n    fix possible compiler warning\n\n[ Slava.Dubeyko: \"fsname check failed\" -\u003e \"fsname mismatch\" ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:55.723Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/07640d34a781bb2e39020a39137073c03c4aa932"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca3da8b27ab9a0923ad477447cfb8fc7f4b4c523"
        },
        {
          "url": "https://git.kernel.org/stable/c/22c73d52a6d05c5a2053385c0d6cd9984732799d"
        }
      ],
      "title": "ceph: fix multifs mds auth caps issue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40362",
    "datePublished": "2025-12-16T13:40:02.467Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2026-01-02T15:33:55.723Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68194 (GCVE-0-2025-68194)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34

Title

media: imon: make send_packet() more robust

Summary

In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge hardware after early callbacks"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes until intf configured") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/519737af11c035908…
	https://git.kernel.org/stable/c/f58ab83b7b7133e6b…
	https://git.kernel.org/stable/c/26f6a1dd5d81ad61a…
	https://git.kernel.org/stable/c/667afd4681781f60a…
	https://git.kernel.org/stable/c/8231e80118463be55…
	https://git.kernel.org/stable/c/0213e4175abbb9dfc…
	https://git.kernel.org/stable/c/f7f3ecb4934fff782…
	https://git.kernel.org/stable/c/eecd203ada43a4693…

Impacted products

Vendor

Product

Version

Linux

Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 519737af11c03590819a6eec2ad532cfdb87ea63 (git)
Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < f58ab83b7b7133e6baefe03a46846c4f6ce45e2f (git)
Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 26f6a1dd5d81ad61a875a747698da6f27abf389b (git)
Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 667afd4681781f60a644cd0d2ee6c59cb1c36208 (git)
Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 8231e80118463be5598daaf266c1c83650f1948b (git)
Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < 0213e4175abbb9dfcbf7c197e3817d527f459ad5 (git)
Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < f7f3ecb4934fff782fa9bb1cd16e2290c041b22d (git)
Affected: 21677cfc562a27e099719d413287bc8d1d24deb7 , < eecd203ada43a4693ce6fdd3a58ae10c7819252c (git)

Linux

Affected: 2.6.35
Unaffected: 0 , < 2.6.35 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/rc/imon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "519737af11c03590819a6eec2ad532cfdb87ea63",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "f58ab83b7b7133e6baefe03a46846c4f6ce45e2f",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "26f6a1dd5d81ad61a875a747698da6f27abf389b",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "667afd4681781f60a644cd0d2ee6c59cb1c36208",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "8231e80118463be5598daaf266c1c83650f1948b",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "0213e4175abbb9dfcbf7c197e3817d527f459ad5",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "f7f3ecb4934fff782fa9bb1cd16e2290c041b22d",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            },
            {
              "lessThan": "eecd203ada43a4693ce6fdd3a58ae10c7819252c",
              "status": "affected",
              "version": "21677cfc562a27e099719d413287bc8d1d24deb7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/rc/imon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.35"
            },
            {
              "lessThan": "2.6.35",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imon: make send_packet() more robust\n\nsyzbot is reporting that imon has three problems which result in\nhung tasks due to forever holding device lock [1].\n\nFirst problem is that when usb_rx_callback_intf0() once got -EPROTO error\nafter ictx-\u003edev_present_intf0 became true, usb_rx_callback_intf0()\nresubmits urb after printk(), and resubmitted urb causes\nusb_rx_callback_intf0() to again get -EPROTO error. This results in\nprintk() flooding (RCU stalls).\n\nAlan Stern commented [2] that\n\n  In theory it\u0027s okay to resubmit _if_ the driver has a robust\n  error-recovery scheme (such as giving up after some fixed limit on the\n  number of errors or after some fixed time has elapsed, perhaps with a\n  time delay to prevent a flood of errors).  Most drivers don\u0027t bother to\n  do this; they simply give up right away.  This makes them more\n  vulnerable to short-term noise interference during USB transfers, but in\n  reality such interference is quite rare.  There\u0027s nothing really wrong\n  with giving up right away.\n\nbut imon has a poor error-recovery scheme which just retries forever;\nthis behavior should be fixed.\n\nSince I\u0027m not sure whether it is safe for imon users to give up upon any\nerror code, this patch takes care of only union of error codes chosen from\nmodules in drivers/media/rc/ directory which handle -EPROTO error (i.e.\nir_toy, mceusb and igorplugusb).\n\nSecond problem is that when usb_rx_callback_intf0() once got -EPROTO error\nbefore ictx-\u003edev_present_intf0 becomes true, usb_rx_callback_intf0() always\nresubmits urb due to commit 8791d63af0cf (\"[media] imon: don\u0027t wedge\nhardware after early callbacks\"). Move the ictx-\u003edev_present_intf0 test\nintroduced by commit 6f6b90c9231a (\"[media] imon: don\u0027t parse scancodes\nuntil intf configured\") to immediately before imon_incoming_packet(), or\nthe first problem explained above happens without printk() flooding (i.e.\nhung task).\n\nThird problem is that when usb_rx_callback_intf0() is not called for some\nreason (e.g. flaky hardware; the reproducer for this problem sometimes\nprevents usb_rx_callback_intf0() from being called),\nwait_for_completion_interruptible() in send_packet() never returns (i.e.\nhung task). As a workaround for such situation, change send_packet() to\nwait for completion with timeout of 10 seconds."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:22.965Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/519737af11c03590819a6eec2ad532cfdb87ea63"
        },
        {
          "url": "https://git.kernel.org/stable/c/f58ab83b7b7133e6baefe03a46846c4f6ce45e2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/26f6a1dd5d81ad61a875a747698da6f27abf389b"
        },
        {
          "url": "https://git.kernel.org/stable/c/667afd4681781f60a644cd0d2ee6c59cb1c36208"
        },
        {
          "url": "https://git.kernel.org/stable/c/8231e80118463be5598daaf266c1c83650f1948b"
        },
        {
          "url": "https://git.kernel.org/stable/c/0213e4175abbb9dfcbf7c197e3817d527f459ad5"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7f3ecb4934fff782fa9bb1cd16e2290c041b22d"
        },
        {
          "url": "https://git.kernel.org/stable/c/eecd203ada43a4693ce6fdd3a58ae10c7819252c"
        }
      ],
      "title": "media: imon: make send_packet() more robust",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68194",
    "datePublished": "2025-12-16T13:43:20.525Z",
    "dateReserved": "2025-12-16T13:41:40.253Z",
    "dateUpdated": "2026-01-02T15:34:22.965Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68210 (GCVE-0-2025-68210)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48

Title

erofs: avoid infinite loop due to incomplete zstd-compressed data

Summary

In the Linux kernel, the following vulnerability has been resolved: erofs: avoid infinite loop due to incomplete zstd-compressed data Currently, the decompression logic incorrectly spins if compressed data is truncated in crafted (deliberately corrupted) images.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4d0e0bb1908acac5b…
	https://git.kernel.org/stable/c/1f86d73a0afe43b6a…
	https://git.kernel.org/stable/c/f2a12cc3b97f06218…

Impacted products

Vendor

Product

Version

Linux

Affected: 7c35de4df1056a5a1fb4de042197b8f5b1033b61 , < 4d0e0bb1908acac5b27d30b45c450e8ead97eb00 (git)
Affected: 7c35de4df1056a5a1fb4de042197b8f5b1033b61 , < 1f86d73a0afe43b6a85d2aa8207853350b7e2111 (git)
Affected: 7c35de4df1056a5a1fb4de042197b8f5b1033b61 , < f2a12cc3b97f062186568a7b94ddb7aa2ef68140 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/erofs/decompressor_zstd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4d0e0bb1908acac5b27d30b45c450e8ead97eb00",
              "status": "affected",
              "version": "7c35de4df1056a5a1fb4de042197b8f5b1033b61",
              "versionType": "git"
            },
            {
              "lessThan": "1f86d73a0afe43b6a85d2aa8207853350b7e2111",
              "status": "affected",
              "version": "7c35de4df1056a5a1fb4de042197b8f5b1033b61",
              "versionType": "git"
            },
            {
              "lessThan": "f2a12cc3b97f062186568a7b94ddb7aa2ef68140",
              "status": "affected",
              "version": "7c35de4df1056a5a1fb4de042197b8f5b1033b61",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/erofs/decompressor_zstd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: avoid infinite loop due to incomplete zstd-compressed data\n\nCurrently, the decompression logic incorrectly spins if compressed\ndata is truncated in crafted (deliberately corrupted) images."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:48:37.072Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4d0e0bb1908acac5b27d30b45c450e8ead97eb00"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f86d73a0afe43b6a85d2aa8207853350b7e2111"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2a12cc3b97f062186568a7b94ddb7aa2ef68140"
        }
      ],
      "title": "erofs: avoid infinite loop due to incomplete zstd-compressed data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68210",
    "datePublished": "2025-12-16T13:48:37.072Z",
    "dateReserved": "2025-12-16T13:41:40.256Z",
    "dateUpdated": "2025-12-16T13:48:37.072Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40204 (GCVE-0-2025-40204)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20

Title

sctp: Fix MAC comparison to be constant-time

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b93fa8dc521d00d2d…
	https://git.kernel.org/stable/c/0e8b8c326c2a6de4d…
	https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62…
	https://git.kernel.org/stable/c/9c05d44ec24126fc2…
	https://git.kernel.org/stable/c/ed3044b9c810c5c24…
	https://git.kernel.org/stable/c/8019b3699289fce3f…
	https://git.kernel.org/stable/c/0b32ff285ff6f6f1a…
	https://git.kernel.org/stable/c/dd91c79e4f58fbe28…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b93fa8dc521d00d2d44bf034fb90e0d79b036617 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0e8b8c326c2a6de4d837b1bb034ea704f4690d77 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9c05d44ec24126fc283835b68f82dba3ae985209 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed3044b9c810c5c24eb2830053fbfe5fd134c5d4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8019b3699289fce3f10b63f98601db97b8d105b0 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b32ff285ff6f6f1ac1d9495787ccce8837d6405 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dd91c79e4f58fbe2898dac84858033700e0e99fb (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.157 , ≤ 6.1.* (semver)
Unaffected: 6.6.113 , ≤ 6.6.* (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sm_make_chunk.c",
            "net/sctp/sm_statefuns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b93fa8dc521d00d2d44bf034fb90e0d79b036617",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0e8b8c326c2a6de4d837b1bb034ea704f4690d77",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9c05d44ec24126fc283835b68f82dba3ae985209",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ed3044b9c810c5c24eb2830053fbfe5fd134c5d4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8019b3699289fce3f10b63f98601db97b8d105b0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0b32ff285ff6f6f1ac1d9495787ccce8837d6405",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dd91c79e4f58fbe2898dac84858033700e0e99fb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sm_make_chunk.c",
            "net/sctp/sm_statefuns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:20:07.600Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b93fa8dc521d00d2d44bf034fb90e0d79b036617"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e8b8c326c2a6de4d837b1bb034ea704f4690d77"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c05d44ec24126fc283835b68f82dba3ae985209"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed3044b9c810c5c24eb2830053fbfe5fd134c5d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/8019b3699289fce3f10b63f98601db97b8d105b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b32ff285ff6f6f1ac1d9495787ccce8837d6405"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd91c79e4f58fbe2898dac84858033700e0e99fb"
        }
      ],
      "title": "sctp: Fix MAC comparison to be constant-time",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40204",
    "datePublished": "2025-11-12T21:56:35.110Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2025-12-01T06:20:07.600Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40251 (GCVE-0-2025-40251)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08

Title

devlink: rate: Unset parent pointer in devl_rate_nodes_destroy

Summary

In the Linux kernel, the following vulnerability has been resolved: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy The function devl_rate_nodes_destroy is documented to "Unset parent for all rate objects". However, it was only calling the driver-specific `rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing the parent's refcount, without actually setting the `devlink_rate->parent` pointer to NULL. This leaves a dangling pointer in the `devlink_rate` struct, which cause refcount error in netdevsim[1] and mlx5[2]. In addition, this is inconsistent with the behavior of `devlink_nl_rate_parent_node_set`, where the parent pointer is correctly cleared. This patch fixes the issue by explicitly setting `devlink_rate->parent` to NULL after notifying the driver, thus fulfilling the function's documented behavior for all rate objects. [1] repro steps: echo 1 > /sys/bus/netdevsim/new_device devlink dev eswitch set netdevsim/netdevsim1 mode switchdev echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs devlink port function rate add netdevsim/netdevsim1/test_node devlink port function rate set netdevsim/netdevsim1/128 parent test_node echo 1 > /sys/bus/netdevsim/del_device dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 __nsim_dev_port_del+0x6c/0x70 [netdevsim] nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] nsim_drv_remove+0x2b/0xb0 [netdevsim] device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 device_unregister+0x1a/0x60 del_device_store+0x111/0x170 [netdevsim] kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x55/0x10f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [2] devlink dev eswitch set pci/0000:08:00.0 mode switchdev devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 devlink port function rate add pci/0000:08:00.0/group1 devlink port function rate set pci/0000:08:00.0/32768 parent group1 modprobe -r mlx5_ib mlx5_fwctl mlx5_core dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] notifier_call_chain+0x33/0xa0 blocking_notifier_call_chain+0x3b/0x50 mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] mlx5_eswitch_disable+0x63/0x90 [mlx5_core] mlx5_unload+0x1d/0x170 [mlx5_core] mlx5_uninit_one+0xa2/0x130 [mlx5_core] remove_one+0x78/0xd0 [mlx5_core] pci_device_remove+0x39/0xa0 device_release_driver_internal+0x194/0x1f0 unbind_store+0x99/0xa0 kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x53/0x1f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/715d9cda646a8a38e…
	https://git.kernel.org/stable/c/c70df6c17d389cc74…
	https://git.kernel.org/stable/c/542f45486f1ce2d2d…
	https://git.kernel.org/stable/c/f94c1a114ac209977…

Impacted products

Vendor

Product

Version

Linux

Affected: d7555984507822458b32a6405881038241d140be , < 715d9cda646a8a38ea8b2bb5afb679a7464055e2 (git)
Affected: d7555984507822458b32a6405881038241d140be , < c70df6c17d389cc743f0eb30160e2d6bc6910db8 (git)
Affected: d7555984507822458b32a6405881038241d140be , < 542f45486f1ce2d2dde75bd85aca0389ef7046c3 (git)
Affected: d7555984507822458b32a6405881038241d140be , < f94c1a114ac209977bdf5ca841b98424295ab1f0 (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/devlink/rate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "715d9cda646a8a38ea8b2bb5afb679a7464055e2",
              "status": "affected",
              "version": "d7555984507822458b32a6405881038241d140be",
              "versionType": "git"
            },
            {
              "lessThan": "c70df6c17d389cc743f0eb30160e2d6bc6910db8",
              "status": "affected",
              "version": "d7555984507822458b32a6405881038241d140be",
              "versionType": "git"
            },
            {
              "lessThan": "542f45486f1ce2d2dde75bd85aca0389ef7046c3",
              "status": "affected",
              "version": "d7555984507822458b32a6405881038241d140be",
              "versionType": "git"
            },
            {
              "lessThan": "f94c1a114ac209977bdf5ca841b98424295ab1f0",
              "status": "affected",
              "version": "d7555984507822458b32a6405881038241d140be",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/devlink/rate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: rate: Unset parent pointer in devl_rate_nodes_destroy\n\nThe function devl_rate_nodes_destroy is documented to \"Unset parent for\nall rate objects\". However, it was only calling the driver-specific\n`rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing\nthe parent\u0027s refcount, without actually setting the\n`devlink_rate-\u003eparent` pointer to NULL.\n\nThis leaves a dangling pointer in the `devlink_rate` struct, which cause\nrefcount error in netdevsim[1] and mlx5[2]. In addition, this is\ninconsistent with the behavior of `devlink_nl_rate_parent_node_set`,\nwhere the parent pointer is correctly cleared.\n\nThis patch fixes the issue by explicitly setting `devlink_rate-\u003eparent`\nto NULL after notifying the driver, thus fulfilling the function\u0027s\ndocumented behavior for all rate objects.\n\n[1]\nrepro steps:\necho 1 \u003e /sys/bus/netdevsim/new_device\ndevlink dev eswitch set netdevsim/netdevsim1 mode switchdev\necho 1 \u003e /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs\ndevlink port function rate add netdevsim/netdevsim1/test_node\ndevlink port function rate set netdevsim/netdevsim1/128 parent test_node\necho 1 \u003e /sys/bus/netdevsim/del_device\n\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n \u003cTASK\u003e\n devl_rate_leaf_destroy+0x8d/0x90\n __nsim_dev_port_del+0x6c/0x70 [netdevsim]\n nsim_dev_reload_destroy+0x11c/0x140 [netdevsim]\n nsim_drv_remove+0x2b/0xb0 [netdevsim]\n device_release_driver_internal+0x194/0x1f0\n bus_remove_device+0xc6/0x130\n device_del+0x159/0x3c0\n device_unregister+0x1a/0x60\n del_device_store+0x111/0x170 [netdevsim]\n kernfs_fop_write_iter+0x12e/0x1e0\n vfs_write+0x215/0x3d0\n ksys_write+0x5f/0xd0\n do_syscall_64+0x55/0x10f0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\n[2]\ndevlink dev eswitch set pci/0000:08:00.0 mode switchdev\ndevlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000\ndevlink port function rate add pci/0000:08:00.0/group1\ndevlink port function rate set pci/0000:08:00.0/32768 parent group1\nmodprobe -r mlx5_ib mlx5_fwctl mlx5_core\n\ndmesg:\nrefcount_t: decrement hit 0; leaking memory.\nWARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0\nCPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x42/0xe0\nCall Trace:\n \u003cTASK\u003e\n devl_rate_leaf_destroy+0x8d/0x90\n mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core]\n mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core]\n mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core]\n mlx5_sf_esw_event+0xc4/0x120 [mlx5_core]\n notifier_call_chain+0x33/0xa0\n blocking_notifier_call_chain+0x3b/0x50\n mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core]\n mlx5_eswitch_disable+0x63/0x90 [mlx5_core]\n mlx5_unload+0x1d/0x170 [mlx5_core]\n mlx5_uninit_one+0xa2/0x130 [mlx5_core]\n remove_one+0x78/0xd0 [mlx5_core]\n pci_device_remove+0x39/0xa0\n device_release_driver_internal+0x194/0x1f0\n unbind_store+0x99/0xa0\n kernfs_fop_write_iter+0x12e/0x1e0\n vfs_write+0x215/0x3d0\n ksys_write+0x5f/0xd0\n do_syscall_64+0x53/0x1f0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T16:08:13.710Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/715d9cda646a8a38ea8b2bb5afb679a7464055e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/c70df6c17d389cc743f0eb30160e2d6bc6910db8"
        },
        {
          "url": "https://git.kernel.org/stable/c/542f45486f1ce2d2dde75bd85aca0389ef7046c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/f94c1a114ac209977bdf5ca841b98424295ab1f0"
        }
      ],
      "title": "devlink: rate: Unset parent pointer in devl_rate_nodes_destroy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40251",
    "datePublished": "2025-12-04T16:08:13.710Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-04T16:08:13.710Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68285 (GCVE-0-2025-68285)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-02 15:34

Title

libceph: fix potential use-after-free in have_mon_and_osd_map()

Summary

In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and client->osdc.lock respectively, but because neither is taken in have_mon_and_osd_map() it's possible for client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch; condition to dereference an already freed map. This happens to be reproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 ... Call Trace: <TASK> have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 Rewrite the wait loop to check the above condition directly with client->monc.mutex and client->osdc.lock taken as appropriate. While at it, improve the timeout handling (previously mount_timeout could be exceeded in case wait_event_interruptible_timeout() slept more than once) and access client->auth_err under client->monc.mutex to match how it's set in finish_auth(). monmap_show() and osdmap_show() now take the respective lock before accessing the map as well.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bb4910c5fd436701f…
	https://git.kernel.org/stable/c/05ec43e9a9de67132…
	https://git.kernel.org/stable/c/7c8ccdc1714d9fabe…
	https://git.kernel.org/stable/c/183ad6e3b651e8fb0…
	https://git.kernel.org/stable/c/e08021b3b56b2407f…
	https://git.kernel.org/stable/c/3fc43120b22a3d4f1…
	https://git.kernel.org/stable/c/076381c261374c587…

Impacted products

Vendor

Product

Version

Linux

Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < bb4910c5fd436701faf367e1b5476a5a6d2aff1c (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 05ec43e9a9de67132dc8cd3b22afef001574947f (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 7c8ccdc1714d9fabecd26e1be7db1771061acc6e (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 183ad6e3b651e8fb0b66d6a2678f4b80bfbba092 (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < e08021b3b56b2407f37b5fe47b654be80cc665fb (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 3fc43120b22a3d4f1fbeff56a35ce2105b6a5683 (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 076381c261374c587700b3accf410bdd2dba334e (git)

Linux

Affected: 2.6.35
Unaffected: 0 , < 2.6.35 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/ceph_common.c",
            "net/ceph/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bb4910c5fd436701faf367e1b5476a5a6d2aff1c",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "05ec43e9a9de67132dc8cd3b22afef001574947f",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "7c8ccdc1714d9fabecd26e1be7db1771061acc6e",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "183ad6e3b651e8fb0b66d6a2678f4b80bfbba092",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "e08021b3b56b2407f37b5fe47b654be80cc665fb",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "3fc43120b22a3d4f1fbeff56a35ce2105b6a5683",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "076381c261374c587700b3accf410bdd2dba334e",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/ceph_common.c",
            "net/ceph/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.35"
            },
            {
              "lessThan": "2.6.35",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix potential use-after-free in have_mon_and_osd_map()\n\nThe wait loop in __ceph_open_session() can race with the client\nreceiving a new monmap or osdmap shortly after the initial map is\nreceived.  Both ceph_monc_handle_map() and handle_one_map() install\na new map immediately after freeing the old one\n\n    kfree(monc-\u003emonmap);\n    monc-\u003emonmap = monmap;\n\n    ceph_osdmap_destroy(osdc-\u003eosdmap);\n    osdc-\u003eosdmap = newmap;\n\nunder client-\u003emonc.mutex and client-\u003eosdc.lock respectively, but\nbecause neither is taken in have_mon_and_osd_map() it\u0027s possible for\nclient-\u003emonc.monmap-\u003eepoch and client-\u003eosdc.osdmap-\u003eepoch arms in\n\n    client-\u003emonc.monmap \u0026\u0026 client-\u003emonc.monmap-\u003eepoch \u0026\u0026\n        client-\u003eosdc.osdmap \u0026\u0026 client-\u003eosdc.osdmap-\u003eepoch;\n\ncondition to dereference an already freed map.  This happens to be\nreproducible with generic/395 and generic/397 with KASAN enabled:\n\n    BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70\n    Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305\n    CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266\n    ...\n    Call Trace:\n    \u003cTASK\u003e\n    have_mon_and_osd_map+0x56/0x70\n    ceph_open_session+0x182/0x290\n    ceph_get_tree+0x333/0x680\n    vfs_get_tree+0x49/0x180\n    do_new_mount+0x1a3/0x2d0\n    path_mount+0x6dd/0x730\n    do_mount+0x99/0xe0\n    __do_sys_mount+0x141/0x180\n    do_syscall_64+0x9f/0x100\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n    \u003c/TASK\u003e\n\n    Allocated by task 13305:\n    ceph_osdmap_alloc+0x16/0x130\n    ceph_osdc_init+0x27a/0x4c0\n    ceph_create_client+0x153/0x190\n    create_fs_client+0x50/0x2a0\n    ceph_get_tree+0xff/0x680\n    vfs_get_tree+0x49/0x180\n    do_new_mount+0x1a3/0x2d0\n    path_mount+0x6dd/0x730\n    do_mount+0x99/0xe0\n    __do_sys_mount+0x141/0x180\n    do_syscall_64+0x9f/0x100\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n    Freed by task 9475:\n    kfree+0x212/0x290\n    handle_one_map+0x23c/0x3b0\n    ceph_osdc_handle_map+0x3c9/0x590\n    mon_dispatch+0x655/0x6f0\n    ceph_con_process_message+0xc3/0xe0\n    ceph_con_v1_try_read+0x614/0x760\n    ceph_con_workfn+0x2de/0x650\n    process_one_work+0x486/0x7c0\n    process_scheduled_works+0x73/0x90\n    worker_thread+0x1c8/0x2a0\n    kthread+0x2ec/0x300\n    ret_from_fork+0x24/0x40\n    ret_from_fork_asm+0x1a/0x30\n\nRewrite the wait loop to check the above condition directly with\nclient-\u003emonc.mutex and client-\u003eosdc.lock taken as appropriate.  While\nat it, improve the timeout handling (previously mount_timeout could be\nexceeded in case wait_event_interruptible_timeout() slept more than\nonce) and access client-\u003eauth_err under client-\u003emonc.mutex to match\nhow it\u0027s set in finish_auth().\n\nmonmap_show() and osdmap_show() now take the respective lock before\naccessing the map as well."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:50.454Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/05ec43e9a9de67132dc8cd3b22afef001574947f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c8ccdc1714d9fabecd26e1be7db1771061acc6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/183ad6e3b651e8fb0b66d6a2678f4b80bfbba092"
        },
        {
          "url": "https://git.kernel.org/stable/c/e08021b3b56b2407f37b5fe47b654be80cc665fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3fc43120b22a3d4f1fbeff56a35ce2105b6a5683"
        },
        {
          "url": "https://git.kernel.org/stable/c/076381c261374c587700b3accf410bdd2dba334e"
        }
      ],
      "title": "libceph: fix potential use-after-free in have_mon_and_osd_map()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68285",
    "datePublished": "2025-12-16T15:06:07.078Z",
    "dateReserved": "2025-12-16T14:48:05.292Z",
    "dateUpdated": "2026-01-02T15:34:50.454Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50880 (GCVE-0-2022-50880)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2025-12-30 12:23

Title

wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() When peer delete failed in a disconnect operation, use-after-free detected by KFENCE in below log. It is because for each vdev_id and address, it has only one struct ath10k_peer, it is allocated in ath10k_peer_map_event(). When connected to an AP, it has more than one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the array peer_map of struct ath10k will be set muti-elements to the same ath10k_peer in ath10k_peer_map_event(). When peer delete failed in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer id in array peer_map of struct ath10k, and then use-after-free happened for the 2nd peer id because they map to the same ath10k_peer. And clean up all peers in array peer_map for the ath10k_peer, then user-after-free disappeared peer map event log: [ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e [ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 [ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166 peer unmap event log: [ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING) [ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) [ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 [ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 [ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166 use-after-free log: [21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING) [21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 [21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed [21713.799968] ================================================================== [21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.799991] [21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): [21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core] [21713.800041] drv_sta_state+0x115/0x677 [mac80211] [21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211] [21713.800076] __sta_info_flush+0x11d/0x162 [mac80211] [21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] [21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] [21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] [21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211] [21713.800161] genl_rcv_msg+0x38e/0x3be [21713.800166] netlink_rcv_skb+0x89/0xf7 [21713.800171] genl_rcv+0x28/0x36 [21713.800176] netlink_unicast+0x179/0x24b [21713.800181] netlink_sendmsg+0x3a0/0x40e [21713.800187] sock_sendmsg+0x72/0x76 [21713.800192] ____sys_sendmsg+0x16d/0x1e3 [21713.800196] ___sys_sendmsg+0x95/0xd1 [21713.800200] __sys_sendmsg+0x85/0xbf [21713.800205] do_syscall_64+0x43/0x55 [21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [21713.800213] [21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k [21713.800219] [21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: [21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core] [21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core] [21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core] [21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core] [21713.800283] ath10k_pci_process_rx_cb+0x195/0x1d ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/15604ab67179ae27e…
	https://git.kernel.org/stable/c/2d6259715c9597a6c…
	https://git.kernel.org/stable/c/f12fc305c127bd07b…
	https://git.kernel.org/stable/c/4494ec1c0bb850eaa…
	https://git.kernel.org/stable/c/08faf07717be0c88b…
	https://git.kernel.org/stable/c/54a3201f3c1ff8135…
	https://git.kernel.org/stable/c/2bf916418d2141b81…
	https://git.kernel.org/stable/c/38245f2d62cd4d1f3…
	https://git.kernel.org/stable/c/f020d9570a04df076…

Impacted products

Vendor

Product

Version

Linux

Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 15604ab67179ae27ea3c7fb24b6df32b143257c4 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 2d6259715c9597a6cfa25db8911683eb0073b1c6 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < f12fc305c127bd07bb50373e29c6037696f916a8 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 4494ec1c0bb850eaa80fed98e5b041d961011d3e (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 08faf07717be0c88b02b5aa45aad2225dfcdd2dc (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 54a3201f3c1ff813523937da78b5fa7649dbab71 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 2bf916418d2141b810c40812433ab4ecfd3c2934 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < 38245f2d62cd4d1f38a763a7b4045ab4565b30a0 (git)
Affected: d0eeafad118940fe445ca00f45be5624fea2ec34 , < f020d9570a04df0762a2ac5c50cf1d8c511c9164 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 4.9.331 , ≤ 4.9.* (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath10k/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "15604ab67179ae27ea3c7fb24b6df32b143257c4",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "2d6259715c9597a6cfa25db8911683eb0073b1c6",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "f12fc305c127bd07bb50373e29c6037696f916a8",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "4494ec1c0bb850eaa80fed98e5b041d961011d3e",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "08faf07717be0c88b02b5aa45aad2225dfcdd2dc",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "54a3201f3c1ff813523937da78b5fa7649dbab71",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "2bf916418d2141b810c40812433ab4ecfd3c2934",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "38245f2d62cd4d1f38a763a7b4045ab4565b30a0",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            },
            {
              "lessThan": "f020d9570a04df0762a2ac5c50cf1d8c511c9164",
              "status": "affected",
              "version": "d0eeafad118940fe445ca00f45be5624fea2ec34",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath10k/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.331",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.331",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()\n\nWhen peer delete failed in a disconnect operation, use-after-free\ndetected by KFENCE in below log. It is because for each vdev_id and\naddress, it has only one struct ath10k_peer, it is allocated in\nath10k_peer_map_event(). When connected to an AP, it has more than\none HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the\narray peer_map of struct ath10k will be set muti-elements to the\nsame ath10k_peer in ath10k_peer_map_event(). When peer delete failed\nin ath10k_sta_state(), the ath10k_peer will be free for the 1st peer\nid in array peer_map of struct ath10k, and then use-after-free happened\nfor the 2nd peer id because they map to the same ath10k_peer.\n\nAnd clean up all peers in array peer_map for the ath10k_peer, then\nuser-after-free disappeared\n\npeer map event log:\n[  306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e\n[  306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33\n[  306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246\n[  306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198\n[  306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166\n\npeer unmap event log:\n[  435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING)\n[  435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone)\n[  435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246\n[  435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198\n[  435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166\n\nuse-after-free log:\n[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING)\n[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110\n[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed\n[21713.799968] ==================================================================\n[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.799991]\n[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69):\n[21713.800010]  ath10k_sta_state+0x265/0xb8a [ath10k_core]\n[21713.800041]  drv_sta_state+0x115/0x677 [mac80211]\n[21713.800059]  __sta_info_destroy_part2+0xb1/0x133 [mac80211]\n[21713.800076]  __sta_info_flush+0x11d/0x162 [mac80211]\n[21713.800093]  ieee80211_set_disassoc+0x12d/0x2f4 [mac80211]\n[21713.800110]  ieee80211_mgd_deauth+0x26c/0x29b [mac80211]\n[21713.800137]  cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211]\n[21713.800153]  nl80211_deauthenticate+0xf8/0x121 [cfg80211]\n[21713.800161]  genl_rcv_msg+0x38e/0x3be\n[21713.800166]  netlink_rcv_skb+0x89/0xf7\n[21713.800171]  genl_rcv+0x28/0x36\n[21713.800176]  netlink_unicast+0x179/0x24b\n[21713.800181]  netlink_sendmsg+0x3a0/0x40e\n[21713.800187]  sock_sendmsg+0x72/0x76\n[21713.800192]  ____sys_sendmsg+0x16d/0x1e3\n[21713.800196]  ___sys_sendmsg+0x95/0xd1\n[21713.800200]  __sys_sendmsg+0x85/0xbf\n[21713.800205]  do_syscall_64+0x43/0x55\n[21713.800210]  entry_SYSCALL_64_after_hwframe+0x44/0xa9\n[21713.800213]\n[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k\n[21713.800219]\n[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s:\n[21713.800241]  ath10k_peer_map_event+0x7e/0x154 [ath10k_core]\n[21713.800254]  ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core]\n[21713.800265]  ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core]\n[21713.800277]  ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core]\n[21713.800283]  ath10k_pci_process_rx_cb+0x195/0x1d\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:23:19.551Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/15604ab67179ae27ea3c7fb24b6df32b143257c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d6259715c9597a6cfa25db8911683eb0073b1c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/f12fc305c127bd07bb50373e29c6037696f916a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/4494ec1c0bb850eaa80fed98e5b041d961011d3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/08faf07717be0c88b02b5aa45aad2225dfcdd2dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/54a3201f3c1ff813523937da78b5fa7649dbab71"
        },
        {
          "url": "https://git.kernel.org/stable/c/2bf916418d2141b810c40812433ab4ecfd3c2934"
        },
        {
          "url": "https://git.kernel.org/stable/c/38245f2d62cd4d1f38a763a7b4045ab4565b30a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f020d9570a04df0762a2ac5c50cf1d8c511c9164"
        }
      ],
      "title": "wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50880",
    "datePublished": "2025-12-30T12:23:19.551Z",
    "dateReserved": "2025-12-30T12:06:07.137Z",
    "dateUpdated": "2025-12-30T12:23:19.551Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68362 (GCVE-0-2025-68362)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:32 – Updated: 2026-01-19 12:18

Title

wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() The rtl8187_rx_cb() calculates the rx descriptor header address by subtracting its size from the skb tail pointer. However, it does not validate if the received packet (skb->len from urb->actual_length) is large enough to contain this header. If a truncated packet is received, this will lead to a buffer underflow, reading memory before the start of the skb data area, and causing a kernel panic. Add length checks for both rtl8187 and rtl8187b descriptor headers before attempting to access them, dropping the packet cleanly if the check fails.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/118e12bf3e4288cf8…
	https://git.kernel.org/stable/c/6a96bd0d94305fd04…
	https://git.kernel.org/stable/c/e2f3ea15e804607e0…
	https://git.kernel.org/stable/c/dc153401fb26c1640…
	https://git.kernel.org/stable/c/4758770a673c60d8f…
	https://git.kernel.org/stable/c/638d4148e166d114a…
	https://git.kernel.org/stable/c/5ebf0fe7eaef9f617…
	https://git.kernel.org/stable/c/b647d2574e4583c2e…

Impacted products

Vendor

Product

Version

Linux

Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 118e12bf3e4288cf845cd3759bd9d4c99f91aab5 (git)
Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 6a96bd0d94305fd04a6ac64446ec113bae289384 (git)
Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < e2f3ea15e804607e0a4a34a2f6c331c8750b68bc (git)
Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < dc153401fb26c1640a2b279c47b65e1c416af276 (git)
Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 4758770a673c60d8f615809304d72e1432fa6355 (git)
Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 638d4148e166d114a4cd7becaae992ce1a815ed8 (git)
Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < 5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15 (git)
Affected: 6f7853f3cbe457067e9fe05461f56c7ea4ac488c , < b647d2574e4583c2e3b0ab35568f60c88e910840 (git)

Linux

Affected: 2.6.27
Unaffected: 0 , < 2.6.27 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "118e12bf3e4288cf845cd3759bd9d4c99f91aab5",
              "status": "affected",
              "version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
              "versionType": "git"
            },
            {
              "lessThan": "6a96bd0d94305fd04a6ac64446ec113bae289384",
              "status": "affected",
              "version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
              "versionType": "git"
            },
            {
              "lessThan": "e2f3ea15e804607e0a4a34a2f6c331c8750b68bc",
              "status": "affected",
              "version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
              "versionType": "git"
            },
            {
              "lessThan": "dc153401fb26c1640a2b279c47b65e1c416af276",
              "status": "affected",
              "version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
              "versionType": "git"
            },
            {
              "lessThan": "4758770a673c60d8f615809304d72e1432fa6355",
              "status": "affected",
              "version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
              "versionType": "git"
            },
            {
              "lessThan": "638d4148e166d114a4cd7becaae992ce1a815ed8",
              "status": "affected",
              "version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
              "versionType": "git"
            },
            {
              "lessThan": "5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15",
              "status": "affected",
              "version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
              "versionType": "git"
            },
            {
              "lessThan": "b647d2574e4583c2e3b0ab35568f60c88e910840",
              "status": "affected",
              "version": "6f7853f3cbe457067e9fe05461f56c7ea4ac488c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.27"
            },
            {
              "lessThan": "2.6.27",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "2.6.27",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()\n\nThe rtl8187_rx_cb() calculates the rx descriptor header address\nby subtracting its size from the skb tail pointer.\nHowever, it does not validate if the received packet\n(skb-\u003elen from urb-\u003eactual_length) is large enough to contain this\nheader.\n\nIf a truncated packet is received, this will lead to a buffer\nunderflow, reading memory before the start of the skb data area,\nand causing a kernel panic.\n\nAdd length checks for both rtl8187 and rtl8187b descriptor headers\nbefore attempting to access them, dropping the packet cleanly if the\ncheck fails."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:28.472Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/118e12bf3e4288cf845cd3759bd9d4c99f91aab5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a96bd0d94305fd04a6ac64446ec113bae289384"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2f3ea15e804607e0a4a34a2f6c331c8750b68bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc153401fb26c1640a2b279c47b65e1c416af276"
        },
        {
          "url": "https://git.kernel.org/stable/c/4758770a673c60d8f615809304d72e1432fa6355"
        },
        {
          "url": "https://git.kernel.org/stable/c/638d4148e166d114a4cd7becaae992ce1a815ed8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ebf0fe7eaef9f6173a4c6ea77c5353e21645d15"
        },
        {
          "url": "https://git.kernel.org/stable/c/b647d2574e4583c2e3b0ab35568f60c88e910840"
        }
      ],
      "title": "wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68362",
    "datePublished": "2025-12-24T10:32:50.492Z",
    "dateReserved": "2025-12-16T14:48:05.307Z",
    "dateUpdated": "2026-01-19T12:18:28.472Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68264 (GCVE-0-2025-68264)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-01-19 12:18

Title

ext4: refresh inline data size before write operations

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: refresh inline data size before write operations The cached ei->i_inline_size can become stale between the initial size check and when ext4_update_inline_data()/ext4_create_inline_data() use it. Although ext4_get_max_inline_size() reads the correct value at the time of the check, concurrent xattr operations can modify i_inline_size before ext4_write_lock_xattr() is acquired. This causes ext4_update_inline_data() and ext4_create_inline_data() to work with stale capacity values, leading to a BUG_ON() crash in ext4_write_inline_data(): kernel BUG at fs/ext4/inline.c:1331! BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); The race window: 1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct) 2. Size check passes for 50-byte write 3. [Another thread adds xattr, i_inline_size changes to 40] 4. ext4_write_lock_xattr() acquires lock 5. ext4_update_inline_data() uses stale i_inline_size = 60 6. Attempts to write 50 bytes but only 40 bytes actually available 7. BUG_ON() triggers Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock() immediately after acquiring xattr_sem. This ensures ext4_update_inline_data() and ext4_create_inline_data() work with current values that are protected from concurrent modifications. This is similar to commit a54c4613dac1 ("ext4: fix race writing to an inline_data file while its xattrs are changing") which fixed i_inline_off staleness. This patch addresses the related i_inline_size staleness issue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/54ab81ae5f218452e…
	https://git.kernel.org/stable/c/43bf001f0fe4e59bb…
	https://git.kernel.org/stable/c/89c2c41f0974e530b…
	https://git.kernel.org/stable/c/1687a055a555347b0…
	https://git.kernel.org/stable/c/210ac60a86a3ad2c7…
	https://git.kernel.org/stable/c/ca43ea29b4c4d2764…
	https://git.kernel.org/stable/c/58df743faf21ceb18…
	https://git.kernel.org/stable/c/892e1cf17555735e9…

Impacted products

Vendor

Product

Version

Linux

Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 54ab81ae5f218452e64470cd8a8139bb5880fe2b (git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 43bf001f0fe4e59bba47c897505222f959f4a1cc (git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 89c2c41f0974e530b2d032c3695095aa0559adb1 (git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 1687a055a555347b002f406676a1aaae4668f242 (git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b (git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < ca43ea29b4c4d2764aec8a26cffcfb677a871e6e (git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 58df743faf21ceb1880f930aa5dd428e2a5e415d (git)
Affected: 67cf5b09a46f72e048501b84996f2f77bc42e947 , < 892e1cf17555735e9d021ab036c36bc7b58b0e3b (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.62 , ≤ 6.12.* (semver)
Unaffected: 6.17.12 , ≤ 6.17.* (semver)
Unaffected: 6.18.1 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "54ab81ae5f218452e64470cd8a8139bb5880fe2b",
              "status": "affected",
              "version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
              "versionType": "git"
            },
            {
              "lessThan": "43bf001f0fe4e59bba47c897505222f959f4a1cc",
              "status": "affected",
              "version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
              "versionType": "git"
            },
            {
              "lessThan": "89c2c41f0974e530b2d032c3695095aa0559adb1",
              "status": "affected",
              "version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
              "versionType": "git"
            },
            {
              "lessThan": "1687a055a555347b002f406676a1aaae4668f242",
              "status": "affected",
              "version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
              "versionType": "git"
            },
            {
              "lessThan": "210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b",
              "status": "affected",
              "version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
              "versionType": "git"
            },
            {
              "lessThan": "ca43ea29b4c4d2764aec8a26cffcfb677a871e6e",
              "status": "affected",
              "version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
              "versionType": "git"
            },
            {
              "lessThan": "58df743faf21ceb1880f930aa5dd428e2a5e415d",
              "status": "affected",
              "version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
              "versionType": "git"
            },
            {
              "lessThan": "892e1cf17555735e9d021ab036c36bc7b58b0e3b",
              "status": "affected",
              "version": "67cf5b09a46f72e048501b84996f2f77bc42e947",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inline.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.62",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.62",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.12",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.1",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: refresh inline data size before write operations\n\nThe cached ei-\u003ei_inline_size can become stale between the initial size\ncheck and when ext4_update_inline_data()/ext4_create_inline_data() use\nit. Although ext4_get_max_inline_size() reads the correct value at the\ntime of the check, concurrent xattr operations can modify i_inline_size\nbefore ext4_write_lock_xattr() is acquired.\n\nThis causes ext4_update_inline_data() and ext4_create_inline_data() to\nwork with stale capacity values, leading to a BUG_ON() crash in\next4_write_inline_data():\n\n  kernel BUG at fs/ext4/inline.c:1331!\n  BUG_ON(pos + len \u003e EXT4_I(inode)-\u003ei_inline_size);\n\nThe race window:\n1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)\n2. Size check passes for 50-byte write\n3. [Another thread adds xattr, i_inline_size changes to 40]\n4. ext4_write_lock_xattr() acquires lock\n5. ext4_update_inline_data() uses stale i_inline_size = 60\n6. Attempts to write 50 bytes but only 40 bytes actually available\n7. BUG_ON() triggers\n\nFix this by recalculating i_inline_size via ext4_find_inline_data_nolock()\nimmediately after acquiring xattr_sem. This ensures ext4_update_inline_data()\nand ext4_create_inline_data() work with current values that are protected\nfrom concurrent modifications.\n\nThis is similar to commit a54c4613dac1 (\"ext4: fix race writing to an\ninline_data file while its xattrs are changing\") which fixed i_inline_off\nstaleness. This patch addresses the related i_inline_size staleness issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:14.011Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/54ab81ae5f218452e64470cd8a8139bb5880fe2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/43bf001f0fe4e59bba47c897505222f959f4a1cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/89c2c41f0974e530b2d032c3695095aa0559adb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1687a055a555347b002f406676a1aaae4668f242"
        },
        {
          "url": "https://git.kernel.org/stable/c/210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca43ea29b4c4d2764aec8a26cffcfb677a871e6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/58df743faf21ceb1880f930aa5dd428e2a5e415d"
        },
        {
          "url": "https://git.kernel.org/stable/c/892e1cf17555735e9d021ab036c36bc7b58b0e3b"
        }
      ],
      "title": "ext4: refresh inline data size before write operations",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68264",
    "datePublished": "2025-12-16T14:45:06.268Z",
    "dateReserved": "2025-12-16T13:41:40.267Z",
    "dateUpdated": "2026-01-19T12:18:14.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40233 (GCVE-0-2025-40233)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31

Title

ocfs2: clear extent cache after moving/defragmenting extents

Summary

In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/93166bc53c0e35870…
	https://git.kernel.org/stable/c/a7ee72286efba1d40…
	https://git.kernel.org/stable/c/93b1ab422f1966b71…
	https://git.kernel.org/stable/c/e92af7737a94a7292…
	https://git.kernel.org/stable/c/aa6a21409dd6221bb…
	https://git.kernel.org/stable/c/bb69928ed578f881e…
	https://git.kernel.org/stable/c/a21750df2f6169af6…
	https://git.kernel.org/stable/c/78a63493f8e352296…

Impacted products

Vendor

Product

Version

Linux

Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < 93166bc53c0e3587058327a4121daea34b4fecd5 (git)
Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < a7ee72286efba1d407c6f15a0528e43593fb7007 (git)
Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < 93b1ab422f1966b71561158e1aedce4ec100f357 (git)
Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < e92af7737a94a729225d2a5d180eaaa77fe0bbc1 (git)
Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < aa6a21409dd6221bb268b56bb410e031c632ff9a (git)
Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < bb69928ed578f881e68d26aaf1a8f6e7faab3b44 (git)
Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < a21750df2f6169af6e039a3bb4893d6c9564e48d (git)
Affected: 53069d4e76954e2e63c1b3c501051c6fbcf7298c , < 78a63493f8e352296dbc7cb7b3f4973105e8679e (git)

Linux

Affected: 3.0
Unaffected: 0 , < 3.0 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.196 , ≤ 5.15.* (semver)
Unaffected: 6.1.158 , ≤ 6.1.* (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ocfs2/move_extents.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "93166bc53c0e3587058327a4121daea34b4fecd5",
              "status": "affected",
              "version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
              "versionType": "git"
            },
            {
              "lessThan": "a7ee72286efba1d407c6f15a0528e43593fb7007",
              "status": "affected",
              "version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
              "versionType": "git"
            },
            {
              "lessThan": "93b1ab422f1966b71561158e1aedce4ec100f357",
              "status": "affected",
              "version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
              "versionType": "git"
            },
            {
              "lessThan": "e92af7737a94a729225d2a5d180eaaa77fe0bbc1",
              "status": "affected",
              "version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
              "versionType": "git"
            },
            {
              "lessThan": "aa6a21409dd6221bb268b56bb410e031c632ff9a",
              "status": "affected",
              "version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
              "versionType": "git"
            },
            {
              "lessThan": "bb69928ed578f881e68d26aaf1a8f6e7faab3b44",
              "status": "affected",
              "version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
              "versionType": "git"
            },
            {
              "lessThan": "a21750df2f6169af6e039a3bb4893d6c9564e48d",
              "status": "affected",
              "version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
              "versionType": "git"
            },
            {
              "lessThan": "78a63493f8e352296dbc7cb7b3f4973105e8679e",
              "status": "affected",
              "version": "53069d4e76954e2e63c1b3c501051c6fbcf7298c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ocfs2/move_extents.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "lessThan": "3.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: clear extent cache after moving/defragmenting extents\n\nThe extent map cache can become stale when extents are moved or\ndefragmented, causing subsequent operations to see outdated extent flags. \nThis triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters().\n\nThe problem occurs when:\n1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED\n2. ioctl(FITRIM) triggers ocfs2_move_extents()\n3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2)\n4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent()\n   which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0)\n5. The extent map cache is not invalidated after the move\n6. Later write() operations read stale cached flags (0x2) but disk has\n   updated flags (0x0), causing a mismatch\n7. BUG_ON(!(rec-\u003ee_flags \u0026 OCFS2_EXT_REFCOUNTED)) triggers\n\nFix by clearing the extent map cache after each extent move/defrag\noperation in __ocfs2_move_extents_range().  This ensures subsequent\noperations read fresh extent data from disk."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T15:31:23.891Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/93166bc53c0e3587058327a4121daea34b4fecd5"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7ee72286efba1d407c6f15a0528e43593fb7007"
        },
        {
          "url": "https://git.kernel.org/stable/c/93b1ab422f1966b71561158e1aedce4ec100f357"
        },
        {
          "url": "https://git.kernel.org/stable/c/e92af7737a94a729225d2a5d180eaaa77fe0bbc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa6a21409dd6221bb268b56bb410e031c632ff9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb69928ed578f881e68d26aaf1a8f6e7faab3b44"
        },
        {
          "url": "https://git.kernel.org/stable/c/a21750df2f6169af6e039a3bb4893d6c9564e48d"
        },
        {
          "url": "https://git.kernel.org/stable/c/78a63493f8e352296dbc7cb7b3f4973105e8679e"
        }
      ],
      "title": "ocfs2: clear extent cache after moving/defragmenting extents",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40233",
    "datePublished": "2025-12-04T15:31:23.891Z",
    "dateReserved": "2025-04-16T07:20:57.180Z",
    "dateUpdated": "2025-12-04T15:31:23.891Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40283 (GCVE-0-2025-40283)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51

Title

Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/297dbf87989e09af9…
	https://git.kernel.org/stable/c/f858f004bc343a7ae…
	https://git.kernel.org/stable/c/7a6d1e740220ff9df…
	https://git.kernel.org/stable/c/5dc00065a0496c366…
	https://git.kernel.org/stable/c/1c28c1e1522c773a9…
	https://git.kernel.org/stable/c/95b9b98c93b1c0916…
	https://git.kernel.org/stable/c/a2610ecd9fd5708be…
	https://git.kernel.org/stable/c/23d22f2f71768034d…

Impacted products

Vendor

Product

Version

Linux

Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 297dbf87989e09af98f81f2bcb938041785557e8 (git)
Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < f858f004bc343a7ae9f2533bbb2a3ab27428532f (git)
Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 7a6d1e740220ff9dfcb6a8c994d6ba49e76db198 (git)
Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 5dc00065a0496c36694afe11e52a5bc64524a9b8 (git)
Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 1c28c1e1522c773a94e26950ffb145e88cd9834b (git)
Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d (git)
Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < a2610ecd9fd5708be8997ca8f033e4200c0bb6af (git)
Affected: fd913ef7ce619467c6b0644af48ba1fec499c623 , < 23d22f2f71768034d6ef86168213843fc49bf550 (git)

Linux

Affected: 4.11
Unaffected: 0 , < 4.11 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/btusb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "297dbf87989e09af98f81f2bcb938041785557e8",
              "status": "affected",
              "version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
              "versionType": "git"
            },
            {
              "lessThan": "f858f004bc343a7ae9f2533bbb2a3ab27428532f",
              "status": "affected",
              "version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
              "versionType": "git"
            },
            {
              "lessThan": "7a6d1e740220ff9dfcb6a8c994d6ba49e76db198",
              "status": "affected",
              "version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
              "versionType": "git"
            },
            {
              "lessThan": "5dc00065a0496c36694afe11e52a5bc64524a9b8",
              "status": "affected",
              "version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
              "versionType": "git"
            },
            {
              "lessThan": "1c28c1e1522c773a94e26950ffb145e88cd9834b",
              "status": "affected",
              "version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
              "versionType": "git"
            },
            {
              "lessThan": "95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d",
              "status": "affected",
              "version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
              "versionType": "git"
            },
            {
              "lessThan": "a2610ecd9fd5708be8997ca8f033e4200c0bb6af",
              "status": "affected",
              "version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
              "versionType": "git"
            },
            {
              "lessThan": "23d22f2f71768034d6ef86168213843fc49bf550",
              "status": "affected",
              "version": "fd913ef7ce619467c6b0644af48ba1fec499c623",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/btusb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF\n\nThere is a KASAN: slab-use-after-free read in btusb_disconnect().\nCalling \"usb_driver_release_interface(\u0026btusb_driver, data-\u003eintf)\" will\nfree the btusb data associated with the interface. The same data is\nthen used later in the function, hence the UAF.\n\nFix by moving the accesses to btusb data to before the data is free\u0027d."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:51:07.409Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/297dbf87989e09af98f81f2bcb938041785557e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/f858f004bc343a7ae9f2533bbb2a3ab27428532f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a6d1e740220ff9dfcb6a8c994d6ba49e76db198"
        },
        {
          "url": "https://git.kernel.org/stable/c/5dc00065a0496c36694afe11e52a5bc64524a9b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c28c1e1522c773a94e26950ffb145e88cd9834b"
        },
        {
          "url": "https://git.kernel.org/stable/c/95b9b98c93b1c0916a3d4cf4540b7f5d69145a0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2610ecd9fd5708be8997ca8f033e4200c0bb6af"
        },
        {
          "url": "https://git.kernel.org/stable/c/23d22f2f71768034d6ef86168213843fc49bf550"
        }
      ],
      "title": "Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40283",
    "datePublished": "2025-12-06T21:51:07.409Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-06T21:51:07.409Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-3303 (GCVE-0-2022-3303)

Vulnerability from cvelistv5 – Published: 2022-09-27 00:00 – Updated: 2025-05-21 15:31

Summary

A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition

Severity ?

4.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-667 - >CWE-362->CWE-476

Assigner

redhat

References

URL

Tags

	https://git.kernel.org/pub/scm/linux/kernel/git/t…
	https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtus…
	https://www.debian.org/security/2022/dsa-5257	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022…	mailing-list

Impacted products

	Vendor	Product	Version
	n/a	Linux kernel	Affected: Fixed in kernel 6.0-rc5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:07:06.557Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA%40mail.gmail.com/"
          },
          {
            "name": "DSA-5257",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5257"
          },
          {
            "name": "[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 4.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-3303",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-21T15:31:25.170645Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-21T15:31:49.941Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Linux kernel",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in kernel 6.0-rc5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A race condition flaw was found in the Linux kernel sound subsystem due to improper locking. It could lead to a NULL pointer dereference while handling the SNDCTL_DSP_SYNC ioctl. A privileged local user (root or member of the audio group) could use this flaw to crash the system, resulting in a denial of service condition"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-667",
              "description": "CWE-667-\u003eCWE-362-\u003eCWE-476",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-01T00:00:00.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8423f0b6d513b259fdab9c9bf4aaa6188d054c2d"
        },
        {
          "url": "https://lore.kernel.org/all/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA%40mail.gmail.com/"
        },
        {
          "name": "DSA-5257",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5257"
        },
        {
          "name": "[debian-lts-announce] 20221101 [SECURITY] [DLA 3173-1] linux-5.10 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-3303",
    "datePublished": "2022-09-27T00:00:00.000Z",
    "dateReserved": "2022-09-26T00:00:00.000Z",
    "dateUpdated": "2025-05-21T15:31:49.941Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-50850 (GCVE-0-2022-50850)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:15 – Updated: 2025-12-30 12:15

Title

scsi: ipr: Fix WARNING in ipr_init()

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: ipr: Fix WARNING in ipr_init() ipr_init() will not call unregister_reboot_notifier() when pci_register_driver() fails, which causes a WARNING. Call unregister_reboot_notifier() when pci_register_driver() fails. notifier callback ipr_halt [ipr] already registered WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29 notifier_chain_register+0x16d/0x230 Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks agpgart cfbft CPU: 3 PID: 299 Comm: modprobe Tainted: G W 6.1.0-rc1-00190-g39508d23b672-dirty #332 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:notifier_chain_register+0x16d/0x230 Call Trace: <TASK> __blocking_notifier_chain_register+0x73/0xb0 ipr_init+0x30/0x1000 [ipr] do_one_initcall+0xdb/0x480 do_init_module+0x1cf/0x680 load_module+0x6a50/0x70a0 __do_sys_finit_module+0x12f/0x1c0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/020b66023712b1cc4…
	https://git.kernel.org/stable/c/e965c4a60c1daa6e2…
	https://git.kernel.org/stable/c/5debd337f534b122f…
	https://git.kernel.org/stable/c/eccbec017c95b9b9e…
	https://git.kernel.org/stable/c/f4ba143b04a17559f…
	https://git.kernel.org/stable/c/e59da172059f05c59…
	https://git.kernel.org/stable/c/8c739021b2022fbc4…
	https://git.kernel.org/stable/c/4399a8632e5f8f1f6…
	https://git.kernel.org/stable/c/e6f108bffc3708ddc…

Impacted products

Vendor

Product

Version

Linux

Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < 020b66023712b1cc42c6ab8b76e4ec13efe4a092 (git)
Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < e965c4a60c1daa6e24355e35d78ca8e9f195196f (git)
Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < 5debd337f534b122f7c5eac6557a41b5636c9b51 (git)
Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < eccbec017c95b9b9ecd4c05c6f5234d1487c72cc (git)
Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < f4ba143b04a17559f2c85e18b47db117f40d8cf3 (git)
Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < e59da172059f05c594fda03a9e8a3a0e1f5116c0 (git)
Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < 8c739021b2022fbc40f71d3fa2e9162beef0c84a (git)
Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < 4399a8632e5f8f1f695d91d992c7d418fb451f07 (git)
Affected: f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa , < e6f108bffc3708ddcff72324f7d40dfcd0204894 (git)

Linux

Affected: 2.6.34
Unaffected: 0 , < 2.6.34 (semver)
Unaffected: 4.9.337 , ≤ 4.9.* (semver)
Unaffected: 4.14.303 , ≤ 4.14.* (semver)
Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.86 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/ipr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "020b66023712b1cc42c6ab8b76e4ec13efe4a092",
              "status": "affected",
              "version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
              "versionType": "git"
            },
            {
              "lessThan": "e965c4a60c1daa6e24355e35d78ca8e9f195196f",
              "status": "affected",
              "version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
              "versionType": "git"
            },
            {
              "lessThan": "5debd337f534b122f7c5eac6557a41b5636c9b51",
              "status": "affected",
              "version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
              "versionType": "git"
            },
            {
              "lessThan": "eccbec017c95b9b9ecd4c05c6f5234d1487c72cc",
              "status": "affected",
              "version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
              "versionType": "git"
            },
            {
              "lessThan": "f4ba143b04a17559f2c85e18b47db117f40d8cf3",
              "status": "affected",
              "version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
              "versionType": "git"
            },
            {
              "lessThan": "e59da172059f05c594fda03a9e8a3a0e1f5116c0",
              "status": "affected",
              "version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
              "versionType": "git"
            },
            {
              "lessThan": "8c739021b2022fbc40f71d3fa2e9162beef0c84a",
              "status": "affected",
              "version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
              "versionType": "git"
            },
            {
              "lessThan": "4399a8632e5f8f1f695d91d992c7d418fb451f07",
              "status": "affected",
              "version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
              "versionType": "git"
            },
            {
              "lessThan": "e6f108bffc3708ddcff72324f7d40dfcd0204894",
              "status": "affected",
              "version": "f72919ec2bbbe1c42cdda7857a96c0c40e1d78aa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/ipr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.34"
            },
            {
              "lessThan": "2.6.34",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.337",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.303",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.337",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.303",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.86",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "2.6.34",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ipr: Fix WARNING in ipr_init()\n\nipr_init() will not call unregister_reboot_notifier() when\npci_register_driver() fails, which causes a WARNING. Call\nunregister_reboot_notifier() when pci_register_driver() fails.\n\nnotifier callback ipr_halt [ipr] already registered\nWARNING: CPU: 3 PID: 299 at kernel/notifier.c:29\nnotifier_chain_register+0x16d/0x230\nModules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore\nled_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm\ndrm_display_helper drm_kms_helper drm drm_panel_orientation_quirks\nagpgart cfbft\nCPU: 3 PID: 299 Comm: modprobe Tainted: G        W\n6.1.0-rc1-00190-g39508d23b672-dirty #332\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nrel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\nRIP: 0010:notifier_chain_register+0x16d/0x230\nCall Trace:\n \u003cTASK\u003e\n __blocking_notifier_chain_register+0x73/0xb0\n ipr_init+0x30/0x1000 [ipr]\n do_one_initcall+0xdb/0x480\n do_init_module+0x1cf/0x680\n load_module+0x6a50/0x70a0\n __do_sys_finit_module+0x12f/0x1c0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:15:27.089Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/020b66023712b1cc42c6ab8b76e4ec13efe4a092"
        },
        {
          "url": "https://git.kernel.org/stable/c/e965c4a60c1daa6e24355e35d78ca8e9f195196f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5debd337f534b122f7c5eac6557a41b5636c9b51"
        },
        {
          "url": "https://git.kernel.org/stable/c/eccbec017c95b9b9ecd4c05c6f5234d1487c72cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4ba143b04a17559f2c85e18b47db117f40d8cf3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e59da172059f05c594fda03a9e8a3a0e1f5116c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c739021b2022fbc40f71d3fa2e9162beef0c84a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4399a8632e5f8f1f695d91d992c7d418fb451f07"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6f108bffc3708ddcff72324f7d40dfcd0204894"
        }
      ],
      "title": "scsi: ipr: Fix WARNING in ipr_init()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50850",
    "datePublished": "2025-12-30T12:15:27.089Z",
    "dateReserved": "2025-12-30T12:06:07.134Z",
    "dateUpdated": "2025-12-30T12:15:27.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68303 (GCVE-0-2025-68303)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

platform/x86: intel: punit_ipc: fix memory corruption

Summary

In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel: punit_ipc: fix memory corruption This passes the address of the pointer "&punit_ipcdev" when the intent was to pass the pointer itself "punit_ipcdev" (without the ampersand). This means that the: complete(&ipcdev->cmd_complete); in intel_punit_ioc() will write to a wrong memory address corrupting it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/15d560cdf5b36c51f…
	https://git.kernel.org/stable/c/46e9d6f54184573da…
	https://git.kernel.org/stable/c/3e7442c5802146fd4…
	https://git.kernel.org/stable/c/a21615a4ac6fecbb5…
	https://git.kernel.org/stable/c/c2ee6d38996775a19…
	https://git.kernel.org/stable/c/9b9c0adbc3f8a524d…

Impacted products

Vendor

Product

Version

Linux

Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < 15d560cdf5b36c51fffec07ac2a983ab3bff4cb2 (git)
Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < 46e9d6f54184573dae1dcbcf6685a572ba6f4480 (git)
Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < 3e7442c5802146fd418ba3f68dcb9ca92b5cec83 (git)
Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < a21615a4ac6fecbb586d59fe2206b63501021789 (git)
Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < c2ee6d38996775a19bfdf20cb01a9b8698cb0baa (git)
Affected: fdca4f16f57da76a8e68047923588a87d1c01f0a , < 9b9c0adbc3f8a524d291baccc9d0c04097fb4869 (git)

Linux

Affected: 4.5
Unaffected: 0 , < 4.5 (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/intel/punit_ipc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "15d560cdf5b36c51fffec07ac2a983ab3bff4cb2",
              "status": "affected",
              "version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
              "versionType": "git"
            },
            {
              "lessThan": "46e9d6f54184573dae1dcbcf6685a572ba6f4480",
              "status": "affected",
              "version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
              "versionType": "git"
            },
            {
              "lessThan": "3e7442c5802146fd418ba3f68dcb9ca92b5cec83",
              "status": "affected",
              "version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
              "versionType": "git"
            },
            {
              "lessThan": "a21615a4ac6fecbb586d59fe2206b63501021789",
              "status": "affected",
              "version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
              "versionType": "git"
            },
            {
              "lessThan": "c2ee6d38996775a19bfdf20cb01a9b8698cb0baa",
              "status": "affected",
              "version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
              "versionType": "git"
            },
            {
              "lessThan": "9b9c0adbc3f8a524d291baccc9d0c04097fb4869",
              "status": "affected",
              "version": "fdca4f16f57da76a8e68047923588a87d1c01f0a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/x86/intel/punit_ipc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: intel: punit_ipc: fix memory corruption\n\nThis passes the address of the pointer \"\u0026punit_ipcdev\" when the intent\nwas to pass the pointer itself \"punit_ipcdev\" (without the ampersand).\nThis means that the:\n\n\tcomplete(\u0026ipcdev-\u003ecmd_complete);\n\nin intel_punit_ioc() will write to a wrong memory address corrupting it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:21.208Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/15d560cdf5b36c51fffec07ac2a983ab3bff4cb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/46e9d6f54184573dae1dcbcf6685a572ba6f4480"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e7442c5802146fd418ba3f68dcb9ca92b5cec83"
        },
        {
          "url": "https://git.kernel.org/stable/c/a21615a4ac6fecbb586d59fe2206b63501021789"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2ee6d38996775a19bfdf20cb01a9b8698cb0baa"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b9c0adbc3f8a524d291baccc9d0c04097fb4869"
        }
      ],
      "title": "platform/x86: intel: punit_ipc: fix memory corruption",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68303",
    "datePublished": "2025-12-16T15:06:21.208Z",
    "dateReserved": "2025-12-16T14:48:05.294Z",
    "dateUpdated": "2025-12-16T15:06:21.208Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68233 (GCVE-0-2025-68233)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:04 – Updated: 2025-12-16 14:04

Title

drm/tegra: Add call to put_pid()

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Add call to put_pid() Add a call to put_pid() corresponding to get_task_pid(). host1x_memory_context_alloc() does not take ownership of the PID so we need to free it here to avoid leaking. [mperttunen@nvidia.com: reword commit message]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6b572e5154af08ee1…
	https://git.kernel.org/stable/c/2e78580e6e7deac65…
	https://git.kernel.org/stable/c/cbf2cbdb0733d7974…
	https://git.kernel.org/stable/c/27ea5c2c75c3419a9…
	https://git.kernel.org/stable/c/6cbab9f0da72b4dc3…

Impacted products

Vendor

Product

Version

Linux

Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 6b572e5154af08ee13f8d2673e86f83bc5ff86cd (git)
Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 2e78580e6e7deac6556236ef96db5bbf7b46857e (git)
Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5 (git)
Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 27ea5c2c75c3419a9a019240ca44b9256f628df1 (git)
Affected: e09db97889ec647ad373f7a7422c83099c6120c5 , < 6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/tegra/uapi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6b572e5154af08ee13f8d2673e86f83bc5ff86cd",
              "status": "affected",
              "version": "e09db97889ec647ad373f7a7422c83099c6120c5",
              "versionType": "git"
            },
            {
              "lessThan": "2e78580e6e7deac6556236ef96db5bbf7b46857e",
              "status": "affected",
              "version": "e09db97889ec647ad373f7a7422c83099c6120c5",
              "versionType": "git"
            },
            {
              "lessThan": "cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5",
              "status": "affected",
              "version": "e09db97889ec647ad373f7a7422c83099c6120c5",
              "versionType": "git"
            },
            {
              "lessThan": "27ea5c2c75c3419a9a019240ca44b9256f628df1",
              "status": "affected",
              "version": "e09db97889ec647ad373f7a7422c83099c6120c5",
              "versionType": "git"
            },
            {
              "lessThan": "6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a",
              "status": "affected",
              "version": "e09db97889ec647ad373f7a7422c83099c6120c5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/tegra/uapi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: Add call to put_pid()\n\nAdd a call to put_pid() corresponding to get_task_pid().\nhost1x_memory_context_alloc() does not take ownership of the PID so we\nneed to free it here to avoid leaking.\n\n[mperttunen@nvidia.com: reword commit message]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T14:04:13.490Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6b572e5154af08ee13f8d2673e86f83bc5ff86cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e78580e6e7deac6556236ef96db5bbf7b46857e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbf2cbdb0733d7974dab296ffba0e7ae9b6524e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/27ea5c2c75c3419a9a019240ca44b9256f628df1"
        },
        {
          "url": "https://git.kernel.org/stable/c/6cbab9f0da72b4dc3c3f9161197aa3b9daa1fa3a"
        }
      ],
      "title": "drm/tegra: Add call to put_pid()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68233",
    "datePublished": "2025-12-16T14:04:13.490Z",
    "dateReserved": "2025-12-16T13:41:40.258Z",
    "dateUpdated": "2025-12-16T14:04:13.490Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40338 (GCVE-0-2025-40338)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2026-01-02 15:33

Title

ASoC: Intel: avs: Do not share the name pointer between components

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 ("ASoC: dmaengine_pcm: Allow passing component name via config") the framework does not override component->name if set before invoking the initializer.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/128bf29c992988f8b…
	https://git.kernel.org/stable/c/4dee5c1cc439b0d5e…

Impacted products

Vendor

Product

Version

Linux

Affected: f1b3b320bd6519b16e3480f74f2926d106e3bcba , < 128bf29c992988f8b4f3829227339908fde5ec86 (git)
Affected: f1b3b320bd6519b16e3480f74f2926d106e3bcba , < 4dee5c1cc439b0d5ef87f741518268ad6a95b23d (git)

Linux

Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/intel/avs/pcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "128bf29c992988f8b4f3829227339908fde5ec86",
              "status": "affected",
              "version": "f1b3b320bd6519b16e3480f74f2926d106e3bcba",
              "versionType": "git"
            },
            {
              "lessThan": "4dee5c1cc439b0d5ef87f741518268ad6a95b23d",
              "status": "affected",
              "version": "f1b3b320bd6519b16e3480f74f2926d106e3bcba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/intel/avs/pcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: avs: Do not share the name pointer between components\n\nBy sharing \u0027name\u0027 directly, tearing down components may lead to\nuse-after-free errors. Duplicate the name to avoid that.\n\nAt the same time, update the order of operations - since commit\ncee28113db17 (\"ASoC: dmaengine_pcm: Allow passing component name via\nconfig\") the framework does not override component-\u003ename if set before\ninvoking the initializer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:40.508Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/128bf29c992988f8b4f3829227339908fde5ec86"
        },
        {
          "url": "https://git.kernel.org/stable/c/4dee5c1cc439b0d5ef87f741518268ad6a95b23d"
        }
      ],
      "title": "ASoC: Intel: avs: Do not share the name pointer between components",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40338",
    "datePublished": "2025-12-09T04:09:54.753Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2026-01-02T15:33:40.508Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38704 (GCVE-0-2025-38704)

Vulnerability from cvelistv5 – Published: 2025-09-04 15:32 – Updated: 2026-01-02 15:31

Title

rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access

Summary

In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access In the preparation stage of CPU online, if the corresponding the rdp's->nocb_cb_kthread does not exist, will be created, there is a situation where the rdp's rcuop kthreads creation fails, and then de-offload this CPU's rdp, does not assign this CPU's rdp->nocb_cb_kthread pointer, but this rdp's->nocb_gp_rdp and rdp's->rdp_gp->nocb_gp_kthread is still valid. This will cause the subsequent re-offload operation of this offline CPU, which will pass the conditional check and the kthread_unpark() will access invalid rdp's->nocb_cb_kthread pointer. This commit therefore use rdp's->nocb_gp_kthread instead of rdp_gp's->nocb_gp_kthread for safety check.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cce3d027227c69e85…
	https://git.kernel.org/stable/c/1c951683a720b17c9…
	https://git.kernel.org/stable/c/9b5ec8e6b31755288…
	https://git.kernel.org/stable/c/1bba3900ca18bdae2…

Impacted products

Vendor

Product

Version

Linux

Affected: 3a5761dc025da47960755ac64d9fbf1c32e8cd80 , < cce3d027227c69e85896af9fbc6fa9af5c68f067 (git)
Affected: 3a5761dc025da47960755ac64d9fbf1c32e8cd80 , < 1c951683a720b17c9ecaad1932bc95b29044611f (git)
Affected: 3a5761dc025da47960755ac64d9fbf1c32e8cd80 , < 9b5ec8e6b31755288a07b3abeeab8cd38e9d3c9d (git)
Affected: 3a5761dc025da47960755ac64d9fbf1c32e8cd80 , < 1bba3900ca18bdae28d1b9fa10f16a8f8cb2ada1 (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.12.43 , ≤ 6.12.* (semver)
Unaffected: 6.15.11 , ≤ 6.15.* (semver)
Unaffected: 6.16.2 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/rcu/tree_nocb.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cce3d027227c69e85896af9fbc6fa9af5c68f067",
              "status": "affected",
              "version": "3a5761dc025da47960755ac64d9fbf1c32e8cd80",
              "versionType": "git"
            },
            {
              "lessThan": "1c951683a720b17c9ecaad1932bc95b29044611f",
              "status": "affected",
              "version": "3a5761dc025da47960755ac64d9fbf1c32e8cd80",
              "versionType": "git"
            },
            {
              "lessThan": "9b5ec8e6b31755288a07b3abeeab8cd38e9d3c9d",
              "status": "affected",
              "version": "3a5761dc025da47960755ac64d9fbf1c32e8cd80",
              "versionType": "git"
            },
            {
              "lessThan": "1bba3900ca18bdae28d1b9fa10f16a8f8cb2ada1",
              "status": "affected",
              "version": "3a5761dc025da47960755ac64d9fbf1c32e8cd80",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/rcu/tree_nocb.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.43",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.43",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.11",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.2",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix possible invalid rdp\u0027s-\u003enocb_cb_kthread pointer access\n\nIn the preparation stage of CPU online, if the corresponding\nthe rdp\u0027s-\u003enocb_cb_kthread does not exist, will be created,\nthere is a situation where the rdp\u0027s rcuop kthreads creation fails,\nand then de-offload this CPU\u0027s rdp, does not assign this CPU\u0027s\nrdp-\u003enocb_cb_kthread pointer, but this rdp\u0027s-\u003enocb_gp_rdp and\nrdp\u0027s-\u003erdp_gp-\u003enocb_gp_kthread is still valid.\n\nThis will cause the subsequent re-offload operation of this offline\nCPU, which will pass the conditional check and the kthread_unpark()\nwill access invalid rdp\u0027s-\u003enocb_cb_kthread pointer.\n\nThis commit therefore use rdp\u0027s-\u003enocb_gp_kthread instead of\nrdp_gp\u0027s-\u003enocb_gp_kthread for safety check."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:31:26.138Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cce3d027227c69e85896af9fbc6fa9af5c68f067"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c951683a720b17c9ecaad1932bc95b29044611f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b5ec8e6b31755288a07b3abeeab8cd38e9d3c9d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1bba3900ca18bdae28d1b9fa10f16a8f8cb2ada1"
        }
      ],
      "title": "rcu/nocb: Fix possible invalid rdp\u0027s-\u003enocb_cb_kthread pointer access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38704",
    "datePublished": "2025-09-04T15:32:55.718Z",
    "dateReserved": "2025-04-16T04:51:24.032Z",
    "dateUpdated": "2026-01-02T15:31:26.138Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40248 (GCVE-0-2025-40248)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38

Title

vsock: Ignore signal/timeout on connect() if already established

Summary

In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs. 3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on signal/timeout. Keep the logic for unconnected sockets: they don't linger, can't be placed in a sockmap, are rejected by sendmsg(). [1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ [2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ [3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3f71753935d648082…
	https://git.kernel.org/stable/c/da664101fb4a0de5c…
	https://git.kernel.org/stable/c/67432915145848658…
	https://git.kernel.org/stable/c/eeca93f06df89be5a…
	https://git.kernel.org/stable/c/5998da5a8208ae9ad…
	https://git.kernel.org/stable/c/f1c170cae285e4b8f…
	https://git.kernel.org/stable/c/ab6b19f690d89ae47…
	https://git.kernel.org/stable/c/002541ef650b742a1…

Impacted products

Vendor

Product

Version

Linux

Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 3f71753935d648082a8279a97d30efe6b85be680 (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < da664101fb4a0de5cb70d2bae6a650df954df2af (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 67432915145848658149683101104e32f9fd6559 (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < eeca93f06df89be5a36305b7b9dae1ed65550dfc (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 5998da5a8208ae9ad7838ba322bccb2bdcd95e81 (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < f1c170cae285e4b8f61be043bb17addc3d0a14b5 (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < ab6b19f690d89ae4709fba73a3c4a7911f495b7a (git)
Affected: d021c344051af91f42c5ba9fdedc176740cbd238 , < 002541ef650b742a198e4be363881439bb9d86b4 (git)

Linux

Affected: 3.9
Unaffected: 0 , < 3.9 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3f71753935d648082a8279a97d30efe6b85be680",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "da664101fb4a0de5cb70d2bae6a650df954df2af",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "67432915145848658149683101104e32f9fd6559",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "eeca93f06df89be5a36305b7b9dae1ed65550dfc",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "5998da5a8208ae9ad7838ba322bccb2bdcd95e81",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "f1c170cae285e4b8f61be043bb17addc3d0a14b5",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "ab6b19f690d89ae4709fba73a3c4a7911f495b7a",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            },
            {
              "lessThan": "002541ef650b742a198e4be363881439bb9d86b4",
              "status": "affected",
              "version": "d021c344051af91f42c5ba9fdedc176740cbd238",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Ignore signal/timeout on connect() if already established\n\nDuring connect(), acting on a signal/timeout by disconnecting an already\nestablished socket leads to several issues:\n\n1. connect() invoking vsock_transport_cancel_pkt() -\u003e\n   virtio_transport_purge_skbs() may race with sendmsg() invoking\n   virtio_transport_get_credit(). This results in a permanently elevated\n   `vvs-\u003ebytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling.\n\n2. connect() resetting a connected socket\u0027s state may race with socket\n   being placed in a sockmap. A disconnected socket remaining in a sockmap\n   breaks sockmap\u0027s assumptions. And gives rise to WARNs.\n\n3. connect() transitioning SS_CONNECTED -\u003e SS_UNCONNECTED allows for a\n   transport change/drop after TCP_ESTABLISHED. Which poses a problem for\n   any simultaneous sendmsg() or connect() and may result in a\n   use-after-free/null-ptr-deref.\n\nDo not disconnect socket on signal/timeout. Keep the logic for unconnected\nsockets: they don\u0027t linger, can\u0027t be placed in a sockmap, are rejected by\nsendmsg().\n\n[1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/\n[2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/\n[3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:38:46.423Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3f71753935d648082a8279a97d30efe6b85be680"
        },
        {
          "url": "https://git.kernel.org/stable/c/da664101fb4a0de5cb70d2bae6a650df954df2af"
        },
        {
          "url": "https://git.kernel.org/stable/c/67432915145848658149683101104e32f9fd6559"
        },
        {
          "url": "https://git.kernel.org/stable/c/eeca93f06df89be5a36305b7b9dae1ed65550dfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/5998da5a8208ae9ad7838ba322bccb2bdcd95e81"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1c170cae285e4b8f61be043bb17addc3d0a14b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab6b19f690d89ae4709fba73a3c4a7911f495b7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/002541ef650b742a198e4be363881439bb9d86b4"
        }
      ],
      "title": "vsock: Ignore signal/timeout on connect() if already established",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40248",
    "datePublished": "2025-12-04T16:08:11.509Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-06T21:38:46.423Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68258 (GCVE-0-2025-68258)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-01-19 12:18

Title

comedi: multiq3: sanitize config options in multiq3_attach()

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: multiq3: sanitize config options in multiq3_attach() Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_attach() via it->options[2], then multiple calls to multiq3_encoder_reset() at the end of driver-specific attach() method will be running for minutes, thus blocking tasks and affected devices as well. While this issue is most likely not too dangerous for real-life devices, it still makes sense to sanitize configuration inputs. Enable a sensible limit on the number of encoder chips (4 chips max, each with 2 channels) to stop this behaviour from manifesting. [1] Syzbot crash: INFO: task syz.2.19:6067 blocked for more than 143 seconds. ... Call Trace: <TASK> context_switch kernel/sched/core.c:5254 [inline] __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862 __schedule_loop kernel/sched/core.c:6944 [inline] schedule+0x165/0x360 kernel/sched/core.c:6959 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016 __mutex_lock_common kernel/locking/mutex.c:676 [inline] __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868 chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414 do_dentry_open+0x953/0x13f0 fs/open.c:965 vfs_open+0x3b/0x340 fs/open.c:1097 ...

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f9ff87aac7b37d462…
	https://git.kernel.org/stable/c/4cde9a7e025cc09b8…
	https://git.kernel.org/stable/c/ad7ed3c9c7b8408e8…
	https://git.kernel.org/stable/c/049f1455745035175…
	https://git.kernel.org/stable/c/8952bc1973cd54158…
	https://git.kernel.org/stable/c/8dc2f02d3bada9247…
	https://git.kernel.org/stable/c/543f4c380c2e1f35e…
	https://git.kernel.org/stable/c/f24c6e3a39fa355da…

Impacted products

Vendor

Product

Version

Linux

Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < f9ff87aac7b37d462246c46d28912d382a8e2ea6 (git)
Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 4cde9a7e025cc09b88097c70606f6b30c22880f4 (git)
Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < ad7ed3c9c7b8408e8612697bc43a5441fe386c71 (git)
Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 049f14557450351750f929ebfff36d849511e132 (git)
Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 8952bc1973cd54158c35e06bfb8c29ace7375a48 (git)
Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3 (git)
Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < 543f4c380c2e1f35e60528df7cb54705cda7fee3 (git)
Affected: 77e01cdbad5175f56027fd6fae00bd0fc175651a , < f24c6e3a39fa355dabfb684c9ca82db579534e72 (git)

Linux

Affected: 2.6.30
Unaffected: 0 , < 2.6.30 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.62 , ≤ 6.12.* (semver)
Unaffected: 6.17.12 , ≤ 6.17.* (semver)
Unaffected: 6.18.1 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/multiq3.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f9ff87aac7b37d462246c46d28912d382a8e2ea6",
              "status": "affected",
              "version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
              "versionType": "git"
            },
            {
              "lessThan": "4cde9a7e025cc09b88097c70606f6b30c22880f4",
              "status": "affected",
              "version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
              "versionType": "git"
            },
            {
              "lessThan": "ad7ed3c9c7b8408e8612697bc43a5441fe386c71",
              "status": "affected",
              "version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
              "versionType": "git"
            },
            {
              "lessThan": "049f14557450351750f929ebfff36d849511e132",
              "status": "affected",
              "version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
              "versionType": "git"
            },
            {
              "lessThan": "8952bc1973cd54158c35e06bfb8c29ace7375a48",
              "status": "affected",
              "version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
              "versionType": "git"
            },
            {
              "lessThan": "8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3",
              "status": "affected",
              "version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
              "versionType": "git"
            },
            {
              "lessThan": "543f4c380c2e1f35e60528df7cb54705cda7fee3",
              "status": "affected",
              "version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
              "versionType": "git"
            },
            {
              "lessThan": "f24c6e3a39fa355dabfb684c9ca82db579534e72",
              "status": "affected",
              "version": "77e01cdbad5175f56027fd6fae00bd0fc175651a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/multiq3.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.62",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.62",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.12",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.1",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: multiq3: sanitize config options in multiq3_attach()\n\nSyzbot identified an issue [1] in multiq3_attach() that induces a\ntask timeout due to open() or COMEDI_DEVCONFIG ioctl operations,\nspecifically, in the case of multiq3 driver.\n\nThis problem arose when syzkaller managed to craft weird configuration\noptions used to specify the number of channels in encoder subdevice.\nIf a particularly great number is passed to s-\u003en_chan in\nmultiq3_attach() via it-\u003eoptions[2], then multiple calls to\nmultiq3_encoder_reset() at the end of driver-specific attach() method\nwill be running for minutes, thus blocking tasks and affected devices\nas well.\n\nWhile this issue is most likely not too dangerous for real-life\ndevices, it still makes sense to sanitize configuration inputs. Enable\na sensible limit on the number of encoder chips (4 chips max, each\nwith 2 channels) to stop this behaviour from manifesting.\n\n[1] Syzbot crash:\nINFO: task syz.2.19:6067 blocked for more than 143 seconds.\n...\nCall Trace:\n \u003cTASK\u003e\n context_switch kernel/sched/core.c:5254 [inline]\n __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862\n __schedule_loop kernel/sched/core.c:6944 [inline]\n schedule+0x165/0x360 kernel/sched/core.c:6959\n schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016\n __mutex_lock_common kernel/locking/mutex.c:676 [inline]\n __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760\n comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868\n chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414\n do_dentry_open+0x953/0x13f0 fs/open.c:965\n vfs_open+0x3b/0x340 fs/open.c:1097\n..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:11.655Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f9ff87aac7b37d462246c46d28912d382a8e2ea6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cde9a7e025cc09b88097c70606f6b30c22880f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad7ed3c9c7b8408e8612697bc43a5441fe386c71"
        },
        {
          "url": "https://git.kernel.org/stable/c/049f14557450351750f929ebfff36d849511e132"
        },
        {
          "url": "https://git.kernel.org/stable/c/8952bc1973cd54158c35e06bfb8c29ace7375a48"
        },
        {
          "url": "https://git.kernel.org/stable/c/8dc2f02d3bada9247f00bfd2e5f61f68c389a0a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/543f4c380c2e1f35e60528df7cb54705cda7fee3"
        },
        {
          "url": "https://git.kernel.org/stable/c/f24c6e3a39fa355dabfb684c9ca82db579534e72"
        }
      ],
      "title": "comedi: multiq3: sanitize config options in multiq3_attach()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68258",
    "datePublished": "2025-12-16T14:45:00.920Z",
    "dateReserved": "2025-12-16T13:41:40.267Z",
    "dateUpdated": "2026-01-19T12:18:11.655Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68237 (GCVE-0-2025-68237)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2025-12-16 14:08

Title

mtdchar: fix integer overflow in read/write ioctls

Summary

In the Linux kernel, the following vulnerability has been resolved: mtdchar: fix integer overflow in read/write ioctls The "req.start" and "req.len" variables are u64 values that come from the user at the start of the function. We mask away the high 32 bits of "req.len" so that's capped at U32_MAX but the "req.start" variable can go up to U64_MAX which means that the addition can still integer overflow. Use check_add_overflow() to fix this bug.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f37efdd97fd1ec3e0…
	https://git.kernel.org/stable/c/457376c6fbf0c6932…
	https://git.kernel.org/stable/c/eb9361484814fb12f…
	https://git.kernel.org/stable/c/37944f4f8199cd153…
	https://git.kernel.org/stable/c/e4185bed738da755b…

Impacted products

Vendor

Product

Version

Linux

Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < f37efdd97fd1ec3e0d0f1eec279c8279e28f981e (git)
Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < 457376c6fbf0c69326a9bf1f72416225f681192b (git)
Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < eb9361484814fb12f3b7544b33835ea67d7a6a97 (git)
Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < 37944f4f8199cd153fef74e95ca268020162f212 (git)
Affected: 6420ac0af95dbcb2fd8452e2d551ab50e1bbad83 , < e4185bed738da755b191aa3f2e16e8b48450e1b8 (git)

Linux

Affected: 5.17
Unaffected: 0 , < 5.17 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/mtdchar.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f37efdd97fd1ec3e0d0f1eec279c8279e28f981e",
              "status": "affected",
              "version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
              "versionType": "git"
            },
            {
              "lessThan": "457376c6fbf0c69326a9bf1f72416225f681192b",
              "status": "affected",
              "version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
              "versionType": "git"
            },
            {
              "lessThan": "eb9361484814fb12f3b7544b33835ea67d7a6a97",
              "status": "affected",
              "version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
              "versionType": "git"
            },
            {
              "lessThan": "37944f4f8199cd153fef74e95ca268020162f212",
              "status": "affected",
              "version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
              "versionType": "git"
            },
            {
              "lessThan": "e4185bed738da755b191aa3f2e16e8b48450e1b8",
              "status": "affected",
              "version": "6420ac0af95dbcb2fd8452e2d551ab50e1bbad83",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/mtdchar.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtdchar: fix integer overflow in read/write ioctls\n\nThe \"req.start\" and \"req.len\" variables are u64 values that come from the\nuser at the start of the function.  We mask away the high 32 bits of\n\"req.len\" so that\u0027s capped at U32_MAX but the \"req.start\" variable can go\nup to U64_MAX which means that the addition can still integer overflow.\n\nUse check_add_overflow() to fix this bug."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T14:08:30.940Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f37efdd97fd1ec3e0d0f1eec279c8279e28f981e"
        },
        {
          "url": "https://git.kernel.org/stable/c/457376c6fbf0c69326a9bf1f72416225f681192b"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb9361484814fb12f3b7544b33835ea67d7a6a97"
        },
        {
          "url": "https://git.kernel.org/stable/c/37944f4f8199cd153fef74e95ca268020162f212"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4185bed738da755b191aa3f2e16e8b48450e1b8"
        }
      ],
      "title": "mtdchar: fix integer overflow in read/write ioctls",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68237",
    "datePublished": "2025-12-16T14:08:30.940Z",
    "dateReserved": "2025-12-16T13:41:40.258Z",
    "dateUpdated": "2025-12-16T14:08:30.940Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50744 (GCVE-0-2022-50744)

Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2026-01-02 15:04

Title

scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs During I/O and simultaneous cat of /sys/kernel/debug/lpfc/fnX/rx_monitor, a hard lockup similar to the call trace below may occur. The spin_lock_bh in lpfc_rx_monitor_report is not protecting from timer interrupts as expected, so change the strength of the spin lock to _irq. Kernel panic - not syncing: Hard LOCKUP CPU: 3 PID: 110402 Comm: cat Kdump: loaded exception RIP: native_queued_spin_lock_slowpath+91 [IRQ stack] native_queued_spin_lock_slowpath at ffffffffb814e30b _raw_spin_lock at ffffffffb89a667a lpfc_rx_monitor_record at ffffffffc0a73a36 [lpfc] lpfc_cmf_timer at ffffffffc0abbc67 [lpfc] __hrtimer_run_queues at ffffffffb8184250 hrtimer_interrupt at ffffffffb8184ab0 smp_apic_timer_interrupt at ffffffffb8a026ba apic_timer_interrupt at ffffffffb8a01c4f [End of IRQ stack] apic_timer_interrupt at ffffffffb8a01c4f lpfc_rx_monitor_report at ffffffffc0a73c80 [lpfc] lpfc_rx_monitor_read at ffffffffc0addde1 [lpfc] full_proxy_read at ffffffffb83e7fc3 vfs_read at ffffffffb833fe71 ksys_read at ffffffffb83402af do_syscall_64 at ffffffffb800430b entry_SYSCALL_64_after_hwframe at ffffffffb8a000ad

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2cf66428a2545bb33…
	https://git.kernel.org/stable/c/cd542900ee5147028…
	https://git.kernel.org/stable/c/39761417ea7b65421…
	https://git.kernel.org/stable/c/c44e50f4a0ec00c22…

Impacted products

Vendor

Product

Version

Linux

Affected: 21d65b35169112af9b6f873c8eeab972e60107c2 , < 2cf66428a2545bb33beb9624124a2377468bb478 (git)
Affected: 2c9b5b8326b953f2f48338a7c889e6af457d146f , < cd542900ee5147028bbe603b238efcab8d720838 (git)
Affected: bd269188ea94e40ab002cad7b0df8f12b8f0de54 , < 39761417ea7b654217d6d9085afbf7c87ba3675d (git)
Affected: bd269188ea94e40ab002cad7b0df8f12b8f0de54 , < c44e50f4a0ec00c2298f31f91bc2c3e9bbd81c7e (git)
Affected: 147d397e08a406f5997f8a1c7f747fe546bf8395 (git)

Linux

Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 5.15.86 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc_sli.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2cf66428a2545bb33beb9624124a2377468bb478",
              "status": "affected",
              "version": "21d65b35169112af9b6f873c8eeab972e60107c2",
              "versionType": "git"
            },
            {
              "lessThan": "cd542900ee5147028bbe603b238efcab8d720838",
              "status": "affected",
              "version": "2c9b5b8326b953f2f48338a7c889e6af457d146f",
              "versionType": "git"
            },
            {
              "lessThan": "39761417ea7b654217d6d9085afbf7c87ba3675d",
              "status": "affected",
              "version": "bd269188ea94e40ab002cad7b0df8f12b8f0de54",
              "versionType": "git"
            },
            {
              "lessThan": "c44e50f4a0ec00c2298f31f91bc2c3e9bbd81c7e",
              "status": "affected",
              "version": "bd269188ea94e40ab002cad7b0df8f12b8f0de54",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "147d397e08a406f5997f8a1c7f747fe546bf8395",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc_sli.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.86",
                  "versionStartIncluding": "5.15.78",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "6.0.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.19.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs\n\nDuring I/O and simultaneous cat of /sys/kernel/debug/lpfc/fnX/rx_monitor, a\nhard lockup similar to the call trace below may occur.\n\nThe spin_lock_bh in lpfc_rx_monitor_report is not protecting from timer\ninterrupts as expected, so change the strength of the spin lock to _irq.\n\nKernel panic - not syncing: Hard LOCKUP\nCPU: 3 PID: 110402 Comm: cat Kdump: loaded\n\nexception RIP: native_queued_spin_lock_slowpath+91\n\n[IRQ stack]\n native_queued_spin_lock_slowpath at ffffffffb814e30b\n _raw_spin_lock at ffffffffb89a667a\n lpfc_rx_monitor_record at ffffffffc0a73a36 [lpfc]\n lpfc_cmf_timer at ffffffffc0abbc67 [lpfc]\n __hrtimer_run_queues at ffffffffb8184250\n hrtimer_interrupt at ffffffffb8184ab0\n smp_apic_timer_interrupt at ffffffffb8a026ba\n apic_timer_interrupt at ffffffffb8a01c4f\n[End of IRQ stack]\n\n apic_timer_interrupt at ffffffffb8a01c4f\n lpfc_rx_monitor_report at ffffffffc0a73c80 [lpfc]\n lpfc_rx_monitor_read at ffffffffc0addde1 [lpfc]\n full_proxy_read at ffffffffb83e7fc3\n vfs_read at ffffffffb833fe71\n ksys_read at ffffffffb83402af\n do_syscall_64 at ffffffffb800430b\n entry_SYSCALL_64_after_hwframe at ffffffffb8a000ad"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:04:22.034Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2cf66428a2545bb33beb9624124a2377468bb478"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd542900ee5147028bbe603b238efcab8d720838"
        },
        {
          "url": "https://git.kernel.org/stable/c/39761417ea7b654217d6d9085afbf7c87ba3675d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c44e50f4a0ec00c2298f31f91bc2c3e9bbd81c7e"
        }
      ],
      "title": "scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50744",
    "datePublished": "2025-12-24T13:05:41.138Z",
    "dateReserved": "2025-12-24T13:02:21.543Z",
    "dateUpdated": "2026-01-02T15:04:22.034Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50733 (GCVE-0-2022-50733)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2026-01-02 15:04

Title

usb: idmouse: fix an uninit-value in idmouse_open

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: idmouse: fix an uninit-value in idmouse_open In idmouse_create_image, if any ftip_command fails, it will go to the reset label. However, this leads to the data in bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check for valid image incurs an uninitialized dereference. Fix this by moving the check before reset label since this check only be valid if the data after bulk_in_buffer[HEADER] has concrete data. Note that this is found by KMSAN, so only kernel compilation is tested.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b3304a6df957cc89a…
	https://git.kernel.org/stable/c/7dad42032f6871825…
	https://git.kernel.org/stable/c/f589b667567fde4f8…
	https://git.kernel.org/stable/c/1eae30c0113dde752…
	https://git.kernel.org/stable/c/b8bbae3236ab7dccc…
	https://git.kernel.org/stable/c/20b8c456df584ebb2…
	https://git.kernel.org/stable/c/6163a5ae097bc78fa…
	https://git.kernel.org/stable/c/adad163d1cff248a5…
	https://git.kernel.org/stable/c/bce2b0539933e485d…

Impacted products

Vendor

Product

Version

Linux

Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < b3304a6df957cc89a0590cb505388d659bf3db4c (git)
Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < 7dad42032f68718259590b0cc7654e9a95ff9762 (git)
Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < f589b667567fde4f81d6e6c40f42b9f2224690ea (git)
Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < 1eae30c0113dde7522088231584d62415011a035 (git)
Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < b8bbae3236ab7dccc66c42bc3f7cdbcfc0786e54 (git)
Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < 20b8c456df584ebb2387dc23d40ebe4ff334417c (git)
Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < 6163a5ae097bc78fa26c243fb384537e25610fd7 (git)
Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < adad163d1cff248a5df9f7cec50158e6ca89f33b (git)
Affected: 4244f72436ab77c3c29a6447af81734ab3925d85 , < bce2b0539933e485d22d6f6f076c0fcd6f185c4c (git)

Linux

Affected: 2.6.13
Unaffected: 0 , < 2.6.13 (semver)
Unaffected: 4.9.331 , ≤ 4.9.* (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/misc/idmouse.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b3304a6df957cc89a0590cb505388d659bf3db4c",
              "status": "affected",
              "version": "4244f72436ab77c3c29a6447af81734ab3925d85",
              "versionType": "git"
            },
            {
              "lessThan": "7dad42032f68718259590b0cc7654e9a95ff9762",
              "status": "affected",
              "version": "4244f72436ab77c3c29a6447af81734ab3925d85",
              "versionType": "git"
            },
            {
              "lessThan": "f589b667567fde4f81d6e6c40f42b9f2224690ea",
              "status": "affected",
              "version": "4244f72436ab77c3c29a6447af81734ab3925d85",
              "versionType": "git"
            },
            {
              "lessThan": "1eae30c0113dde7522088231584d62415011a035",
              "status": "affected",
              "version": "4244f72436ab77c3c29a6447af81734ab3925d85",
              "versionType": "git"
            },
            {
              "lessThan": "b8bbae3236ab7dccc66c42bc3f7cdbcfc0786e54",
              "status": "affected",
              "version": "4244f72436ab77c3c29a6447af81734ab3925d85",
              "versionType": "git"
            },
            {
              "lessThan": "20b8c456df584ebb2387dc23d40ebe4ff334417c",
              "status": "affected",
              "version": "4244f72436ab77c3c29a6447af81734ab3925d85",
              "versionType": "git"
            },
            {
              "lessThan": "6163a5ae097bc78fa26c243fb384537e25610fd7",
              "status": "affected",
              "version": "4244f72436ab77c3c29a6447af81734ab3925d85",
              "versionType": "git"
            },
            {
              "lessThan": "adad163d1cff248a5df9f7cec50158e6ca89f33b",
              "status": "affected",
              "version": "4244f72436ab77c3c29a6447af81734ab3925d85",
              "versionType": "git"
            },
            {
              "lessThan": "bce2b0539933e485d22d6f6f076c0fcd6f185c4c",
              "status": "affected",
              "version": "4244f72436ab77c3c29a6447af81734ab3925d85",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/misc/idmouse.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.13"
            },
            {
              "lessThan": "2.6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.331",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.331",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "2.6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: idmouse: fix an uninit-value in idmouse_open\n\nIn idmouse_create_image, if any ftip_command fails, it will\ngo to the reset label. However, this leads to the data in\nbulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check\nfor valid image incurs an uninitialized dereference.\n\nFix this by moving the check before reset label since this\ncheck only be valid if the data after bulk_in_buffer[HEADER]\nhas concrete data.\n\nNote that this is found by KMSAN, so only kernel compilation\nis tested."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:04:09.740Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b3304a6df957cc89a0590cb505388d659bf3db4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/7dad42032f68718259590b0cc7654e9a95ff9762"
        },
        {
          "url": "https://git.kernel.org/stable/c/f589b667567fde4f81d6e6c40f42b9f2224690ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/1eae30c0113dde7522088231584d62415011a035"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8bbae3236ab7dccc66c42bc3f7cdbcfc0786e54"
        },
        {
          "url": "https://git.kernel.org/stable/c/20b8c456df584ebb2387dc23d40ebe4ff334417c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6163a5ae097bc78fa26c243fb384537e25610fd7"
        },
        {
          "url": "https://git.kernel.org/stable/c/adad163d1cff248a5df9f7cec50158e6ca89f33b"
        },
        {
          "url": "https://git.kernel.org/stable/c/bce2b0539933e485d22d6f6f076c0fcd6f185c4c"
        }
      ],
      "title": "usb: idmouse: fix an uninit-value in idmouse_open",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50733",
    "datePublished": "2025-12-24T12:22:52.651Z",
    "dateReserved": "2025-12-24T12:20:40.331Z",
    "dateUpdated": "2026-01-02T15:04:09.740Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40258 (GCVE-0-2025-40258)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38

Title

mptcp: fix race condition in mptcp_schedule_work()

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race condition in mptcp_schedule_work() syzbot reported use-after-free in mptcp_schedule_work() [1] Issue here is that mptcp_schedule_work() schedules a work, then gets a refcount on sk->sk_refcnt if the work was scheduled. This refcount will be released by mptcp_worker(). [A] if (schedule_work(...)) { [B] sock_hold(sk); return true; } Problem is that mptcp_worker() can run immediately and complete before [B] We need instead : sock_hold(sk); if (schedule_work(...)) return true; sock_put(sk); [1] refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25 Call Trace: <TASK> __refcount_add include/linux/refcount.h:-1 [inline] __refcount_inc include/linux/refcount.h:366 [inline] refcount_inc include/linux/refcount.h:383 [inline] sock_hold include/net/sock.h:816 [inline] mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943 mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747 expire_timers kernel/time/timer.c:1798 [inline] __run_timers kernel/time/timer.c:2372 [inline] __run_timer_base+0x648/0x970 kernel/time/timer.c:2384 run_timer_base kernel/time/timer.c:2393 [inline] run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] run_ktimerd+0xcf/0x190 kernel/softirq.c:1138 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f865e6595acf33083…
	https://git.kernel.org/stable/c/99908e2d601236842…
	https://git.kernel.org/stable/c/db4f7968a75250ca6…
	https://git.kernel.org/stable/c/8f9ba1a99a89feef9…
	https://git.kernel.org/stable/c/ac28dfddedf6f2091…
	https://git.kernel.org/stable/c/3fc7723ed01d1130d…
	https://git.kernel.org/stable/c/035bca3f017ee9dea…

Impacted products

Vendor

Product

Version

Linux

Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < f865e6595acf33083168db76921e66ace8bf0e5b (git)
Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 99908e2d601236842d705d5fd04fb349577316f5 (git)
Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < db4f7968a75250ca6c4ed70d0a78beabb2dcee18 (git)
Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 8f9ba1a99a89feef9b5867c15a0141a97e893309 (git)
Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < ac28dfddedf6f209190950fc71bcff65ec4ab47b (git)
Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 3fc7723ed01d1130d4bf7063c50e0af60ecccbb4 (git)
Affected: 3b1d6210a9577369103330b0d802b0bf74b65e7f , < 035bca3f017ee9dea3a5a756e77a6f7138cc6eea (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f865e6595acf33083168db76921e66ace8bf0e5b",
              "status": "affected",
              "version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
              "versionType": "git"
            },
            {
              "lessThan": "99908e2d601236842d705d5fd04fb349577316f5",
              "status": "affected",
              "version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
              "versionType": "git"
            },
            {
              "lessThan": "db4f7968a75250ca6c4ed70d0a78beabb2dcee18",
              "status": "affected",
              "version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
              "versionType": "git"
            },
            {
              "lessThan": "8f9ba1a99a89feef9b5867c15a0141a97e893309",
              "status": "affected",
              "version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
              "versionType": "git"
            },
            {
              "lessThan": "ac28dfddedf6f209190950fc71bcff65ec4ab47b",
              "status": "affected",
              "version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
              "versionType": "git"
            },
            {
              "lessThan": "3fc7723ed01d1130d4bf7063c50e0af60ecccbb4",
              "status": "affected",
              "version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
              "versionType": "git"
            },
            {
              "lessThan": "035bca3f017ee9dea3a5a756e77a6f7138cc6eea",
              "status": "affected",
              "version": "3b1d6210a9577369103330b0d802b0bf74b65e7f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix race condition in mptcp_schedule_work()\n\nsyzbot reported use-after-free in mptcp_schedule_work() [1]\n\nIssue here is that mptcp_schedule_work() schedules a work,\nthen gets a refcount on sk-\u003esk_refcnt if the work was scheduled.\nThis refcount will be released by mptcp_worker().\n\n[A] if (schedule_work(...)) {\n[B]     sock_hold(sk);\n        return true;\n    }\n\nProblem is that mptcp_worker() can run immediately and complete before [B]\n\nWe need instead :\n\n    sock_hold(sk);\n    if (schedule_work(...))\n        return true;\n    sock_put(sk);\n\n[1]\nrefcount_t: addition on 0; use-after-free.\n WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25\nCall Trace:\n \u003cTASK\u003e\n __refcount_add include/linux/refcount.h:-1 [inline]\n  __refcount_inc include/linux/refcount.h:366 [inline]\n  refcount_inc include/linux/refcount.h:383 [inline]\n  sock_hold include/net/sock.h:816 [inline]\n  mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943\n  mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316\n  call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747\n  expire_timers kernel/time/timer.c:1798 [inline]\n  __run_timers kernel/time/timer.c:2372 [inline]\n  __run_timer_base+0x648/0x970 kernel/time/timer.c:2384\n  run_timer_base kernel/time/timer.c:2393 [inline]\n  run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403\n  handle_softirqs+0x22f/0x710 kernel/softirq.c:622\n  __do_softirq kernel/softirq.c:656 [inline]\n  run_ktimerd+0xcf/0x190 kernel/softirq.c:1138\n  smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160\n  kthread+0x711/0x8a0 kernel/kthread.c:463\n  ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:38:56.328Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f865e6595acf33083168db76921e66ace8bf0e5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/99908e2d601236842d705d5fd04fb349577316f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/db4f7968a75250ca6c4ed70d0a78beabb2dcee18"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f9ba1a99a89feef9b5867c15a0141a97e893309"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac28dfddedf6f209190950fc71bcff65ec4ab47b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3fc7723ed01d1130d4bf7063c50e0af60ecccbb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/035bca3f017ee9dea3a5a756e77a6f7138cc6eea"
        }
      ],
      "title": "mptcp: fix race condition in mptcp_schedule_work()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40258",
    "datePublished": "2025-12-04T16:08:19.176Z",
    "dateReserved": "2025-04-16T07:20:57.182Z",
    "dateUpdated": "2025-12-06T21:38:56.328Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40297 (GCVE-0-2025-40297)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

net: bridge: fix use-after-free due to MST port state bypass

Summary

In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e19085b2a86addccf…
	https://git.kernel.org/stable/c/3b60ce334c1ce8b3f…
	https://git.kernel.org/stable/c/bf3843183bc3158e5…
	https://git.kernel.org/stable/c/991fbe1680cd41a5f…
	https://git.kernel.org/stable/c/8dca36978aa80bab9…

Impacted products

Vendor

Product

Version

Linux

Affected: ec7328b59176227216c461601c6bd0e922232a9b , < e19085b2a86addccff33ab8536fc67ebd9d52198 (git)
Affected: ec7328b59176227216c461601c6bd0e922232a9b , < 3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8 (git)
Affected: ec7328b59176227216c461601c6bd0e922232a9b , < bf3843183bc3158e5821b46f330c438ae9bd6ddb (git)
Affected: ec7328b59176227216c461601c6bd0e922232a9b , < 991fbe1680cd41a5f97c92cd3a3496315df36e4b (git)
Affected: ec7328b59176227216c461601c6bd0e922232a9b , < 8dca36978aa80bab9d4da130c211db75c9e00048 (git)

Linux

Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_forward.c",
            "net/bridge/br_input.c",
            "net/bridge/br_private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e19085b2a86addccff33ab8536fc67ebd9d52198",
              "status": "affected",
              "version": "ec7328b59176227216c461601c6bd0e922232a9b",
              "versionType": "git"
            },
            {
              "lessThan": "3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8",
              "status": "affected",
              "version": "ec7328b59176227216c461601c6bd0e922232a9b",
              "versionType": "git"
            },
            {
              "lessThan": "bf3843183bc3158e5821b46f330c438ae9bd6ddb",
              "status": "affected",
              "version": "ec7328b59176227216c461601c6bd0e922232a9b",
              "versionType": "git"
            },
            {
              "lessThan": "991fbe1680cd41a5f97c92cd3a3496315df36e4b",
              "status": "affected",
              "version": "ec7328b59176227216c461601c6bd0e922232a9b",
              "versionType": "git"
            },
            {
              "lessThan": "8dca36978aa80bab9d4da130c211db75c9e00048",
              "status": "affected",
              "version": "ec7328b59176227216c461601c6bd0e922232a9b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bridge/br_forward.c",
            "net/bridge/br_input.c",
            "net/bridge/br_private.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: fix use-after-free due to MST port state bypass\n\nsyzbot reported[1] a use-after-free when deleting an expired fdb. It is\ndue to a race condition between learning still happening and a port being\ndeleted, after all its fdbs have been flushed. The port\u0027s state has been\ntoggled to disabled so no learning should happen at that time, but if we\nhave MST enabled, it will bypass the port\u0027s state, that together with VLAN\nfiltering disabled can lead to fdb learning at a time when it shouldn\u0027t\nhappen while the port is being deleted. VLAN filtering must be disabled\nbecause we flush the port VLANs when it\u0027s being deleted which will stop\nlearning. This fix adds a check for the port\u0027s vlan group which is\ninitialized to NULL when the port is getting deleted, that avoids the port\nstate bypass. When MST is enabled there would be a minimal new overhead\nin the fast-path because the port\u0027s vlan group pointer is cache-hot.\n\n[1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:21.112Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e19085b2a86addccff33ab8536fc67ebd9d52198"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b60ce334c1ce8b3fad7e02dcd5ed9f6646477c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf3843183bc3158e5821b46f330c438ae9bd6ddb"
        },
        {
          "url": "https://git.kernel.org/stable/c/991fbe1680cd41a5f97c92cd3a3496315df36e4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8dca36978aa80bab9d4da130c211db75c9e00048"
        }
      ],
      "title": "net: bridge: fix use-after-free due to MST port state bypass",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40297",
    "datePublished": "2025-12-08T00:46:21.112Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2025-12-08T00:46:21.112Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68378 (GCVE-0-2025-68378)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2025-12-24 10:33

Title

bpf: Fix stackmap overflow check in __bpf_get_stackid()

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check in __bpf_get_stackid() Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid() when copying stack trace data. The issue occurs when the perf trace contains more stack entries than the stack map bucket can hold, leading to an out-of-bounds write in the bucket's data array.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d1f424a77b6bd27b3…
	https://git.kernel.org/stable/c/2a008f6de163279de…
	https://git.kernel.org/stable/c/4669a8db976c8cbd5…
	https://git.kernel.org/stable/c/23f852daa4bab4d57…

Impacted products

Vendor

Product

Version

Linux

Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < d1f424a77b6bd27b361737ed73df49a0158f1590 (git)
Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 2a008f6de163279deffd488c1deab081bce5667c (git)
Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 4669a8db976c8cbd5427fe9945f12c5fa5168ff3 (git)
Affected: ee2a098851bfbe8bcdd964c0121f4246f00ff41e , < 23f852daa4bab4d579110e034e4d513f7d490846 (git)
Affected: 90805175a206f784b6a77f16f07b07f6803e286b (git)
Affected: 398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e (git)
Affected: e750f78c4ed7cefbcefb9769b3b9e08033db39da (git)
Affected: 6c4f243b58f5362e983386488b2d563764c567af (git)

Linux

Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/stackmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d1f424a77b6bd27b361737ed73df49a0158f1590",
              "status": "affected",
              "version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
              "versionType": "git"
            },
            {
              "lessThan": "2a008f6de163279deffd488c1deab081bce5667c",
              "status": "affected",
              "version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
              "versionType": "git"
            },
            {
              "lessThan": "4669a8db976c8cbd5427fe9945f12c5fa5168ff3",
              "status": "affected",
              "version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
              "versionType": "git"
            },
            {
              "lessThan": "23f852daa4bab4d579110e034e4d513f7d490846",
              "status": "affected",
              "version": "ee2a098851bfbe8bcdd964c0121f4246f00ff41e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "90805175a206f784b6a77f16f07b07f6803e286b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "398ac11f4425d1e52aaf0d05d4fc90524e1a5b5e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e750f78c4ed7cefbcefb9769b3b9e08033db39da",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6c4f243b58f5362e983386488b2d563764c567af",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/stackmap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.110",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.16.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.17.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check in __bpf_get_stackid()\n\nSyzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid()\nwhen copying stack trace data. The issue occurs when the perf trace\n contains more stack entries than the stack map bucket can hold,\n leading to an out-of-bounds write in the bucket\u0027s data array."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:33:06.859Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d1f424a77b6bd27b361737ed73df49a0158f1590"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a008f6de163279deffd488c1deab081bce5667c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4669a8db976c8cbd5427fe9945f12c5fa5168ff3"
        },
        {
          "url": "https://git.kernel.org/stable/c/23f852daa4bab4d579110e034e4d513f7d490846"
        }
      ],
      "title": "bpf: Fix stackmap overflow check in __bpf_get_stackid()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68378",
    "datePublished": "2025-12-24T10:33:06.859Z",
    "dateReserved": "2025-12-16T14:48:05.311Z",
    "dateUpdated": "2025-12-24T10:33:06.859Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68724 (GCVE-0-2025-68724)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:33 – Updated: 2026-01-19 12:18

Title

crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetric_key_id structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a possible buffer overflow when copying data from potentially malicious X.509 certificate fields that can be arbitrarily large, such as ASN.1 INTEGER serial numbers, issuer names, etc.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/60a7be5ee74408147…
	https://git.kernel.org/stable/c/c13c6e9de91d7f1dd…
	https://git.kernel.org/stable/c/dfc16139618287451…
	https://git.kernel.org/stable/c/5b8ac617c8dab5cad…
	https://git.kernel.org/stable/c/c73be4f51eed98fa0…
	https://git.kernel.org/stable/c/6af753ac5205115e6…
	https://git.kernel.org/stable/c/b7090a5c153105b9f…
	https://git.kernel.org/stable/c/df0845cf447ae1556…

Impacted products

Vendor

Product

Version

Linux

Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 60a7be5ee74408147e439164ac067e418ca74bb4 (git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < c13c6e9de91d7f1dd7df756b1fa5a1f968839d76 (git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < dfc1613961828745165aec6552c3818fa14ab725 (git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c (git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < c73be4f51eed98fa0c7c189db8f279e1c86bfbf7 (git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < 6af753ac5205115e6c310c8c4236c01b59a1c44f (git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < b7090a5c153105b9fd221a5a81459ee8cd5babd6 (git)
Affected: 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 , < df0845cf447ae1556c3440b8b155de0926cbaa56 (git)

Linux

Affected: 3.18
Unaffected: 0 , < 3.18 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "crypto/asymmetric_keys/asymmetric_type.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "60a7be5ee74408147e439164ac067e418ca74bb4",
              "status": "affected",
              "version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
              "versionType": "git"
            },
            {
              "lessThan": "c13c6e9de91d7f1dd7df756b1fa5a1f968839d76",
              "status": "affected",
              "version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
              "versionType": "git"
            },
            {
              "lessThan": "dfc1613961828745165aec6552c3818fa14ab725",
              "status": "affected",
              "version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
              "versionType": "git"
            },
            {
              "lessThan": "5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c",
              "status": "affected",
              "version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
              "versionType": "git"
            },
            {
              "lessThan": "c73be4f51eed98fa0c7c189db8f279e1c86bfbf7",
              "status": "affected",
              "version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
              "versionType": "git"
            },
            {
              "lessThan": "6af753ac5205115e6c310c8c4236c01b59a1c44f",
              "status": "affected",
              "version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
              "versionType": "git"
            },
            {
              "lessThan": "b7090a5c153105b9fd221a5a81459ee8cd5babd6",
              "status": "affected",
              "version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
              "versionType": "git"
            },
            {
              "lessThan": "df0845cf447ae1556c3440b8b155de0926cbaa56",
              "status": "affected",
              "version": "7901c1a8effbe5f89673bfc09d6e37b8f334f1a7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "crypto/asymmetric_keys/asymmetric_type.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.18"
            },
            {
              "lessThan": "3.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id\n\nUse check_add_overflow() to guard against potential integer overflows\nwhen adding the binary blob lengths and the size of an asymmetric_key_id\nstructure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a\npossible buffer overflow when copying data from potentially malicious\nX.509 certificate fields that can be arbitrarily large, such as ASN.1\nINTEGER serial numbers, issuer names, etc."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:35.519Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/60a7be5ee74408147e439164ac067e418ca74bb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c13c6e9de91d7f1dd7df756b1fa5a1f968839d76"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfc1613961828745165aec6552c3818fa14ab725"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b8ac617c8dab5cad3c4dc8d84d0987808a0f99c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c73be4f51eed98fa0c7c189db8f279e1c86bfbf7"
        },
        {
          "url": "https://git.kernel.org/stable/c/6af753ac5205115e6c310c8c4236c01b59a1c44f"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7090a5c153105b9fd221a5a81459ee8cd5babd6"
        },
        {
          "url": "https://git.kernel.org/stable/c/df0845cf447ae1556c3440b8b155de0926cbaa56"
        }
      ],
      "title": "crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68724",
    "datePublished": "2025-12-24T10:33:08.932Z",
    "dateReserved": "2025-12-24T10:30:51.027Z",
    "dateUpdated": "2026-01-19T12:18:35.519Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68757 (GCVE-0-2025-68757)

Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-19 12:18

Title

drm/vgem-fence: Fix potential deadlock on release

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/vgem-fence: Fix potential deadlock on release A timer that expires a vgem fence automatically in 10 seconds is now released with timer_delete_sync() from fence->ops.release() called on last dma_fence_put(). In some scenarios, it can run in IRQ context, which is not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while working on new IGT subtests syncobj_timeline@stress-* as user space replacements of some problematic test cases of a dma-fence-chain selftest [1]. [117.004338] ================================ [117.004340] WARNING: inconsistent lock state [117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U [117.004346] -------------------------------- [117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. [117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes: [117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190 [117.004361] {HARDIRQ-ON-W} state was registered at: [117.004363] lock_acquire+0xc4/0x2e0 [117.004366] call_timer_fn+0x80/0x2a0 [117.004368] __run_timers+0x231/0x310 [117.004370] run_timer_softirq+0x76/0xe0 [117.004372] handle_softirqs+0xd4/0x4d0 [117.004375] __irq_exit_rcu+0x13f/0x160 [117.004377] irq_exit_rcu+0xe/0x20 [117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0 [117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [117.004385] cpuidle_enter_state+0x12b/0x8a0 [117.004388] cpuidle_enter+0x2e/0x50 [117.004393] call_cpuidle+0x22/0x60 [117.004395] do_idle+0x1fd/0x260 [117.004398] cpu_startup_entry+0x29/0x30 [117.004401] start_secondary+0x12d/0x160 [117.004404] common_startup_64+0x13e/0x141 [117.004407] irq event stamp: 2282669 [117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80 [117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0 [117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18 [117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160 [117.004426] other info that might help us debug this: [117.004429] Possible unsafe locking scenario: [117.004432] CPU0 [117.004433] ---- [117.004434] lock((&fence->timer)); [117.004436] <Interrupt> [117.004438] lock((&fence->timer)); [117.004440] *** DEADLOCK *** [117.004443] 1 lock held by swapper/0/0: [117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0 [117.004450] stack backtrace: [117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary) [117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER [117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 [117.004456] Call Trace: [117.004456] <IRQ> [117.004457] dump_stack_lvl+0x91/0xf0 [117.004460] dump_stack+0x10/0x20 [117.004461] print_usage_bug.part.0+0x260/0x360 [117.004463] mark_lock+0x76e/0x9c0 [117.004465] ? register_lock_class+0x48/0x4a0 [117.004467] __lock_acquire+0xbc3/0x2860 [117.004469] lock_acquire+0xc4/0x2e0 [117.004470] ? __timer_delete_sync+0x4b/0x190 [117.004472] ? __timer_delete_sync+0x4b/0x190 [117.004473] __timer_delete_sync+0x68/0x190 [117.004474] ? __timer_delete_sync+0x4b/0x190 [117.004475] timer_delete_sync+0x10/0x20 [117.004476] vgem_fence_release+0x19/0x30 [vgem] [117.004478] dma_fence_release+0xc1/0x3b0 [117.004480] ? dma_fence_release+0xa1/0x3b0 [117.004481] dma_fence_chain_release+0xe7/0x130 [117.004483] dma_fence_release+0xc1/0x3b0 [117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80 [117.004485] dma_fence_chain_irq_work+0x59/0x80 [117.004487] irq_work_single+0x75/0xa0 [117.004490] irq_work_r ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/37289a18099fc7ce9…
	https://git.kernel.org/stable/c/489b2158aec92a3fc…
	https://git.kernel.org/stable/c/1026d1b0bd55e1be7…
	https://git.kernel.org/stable/c/9dc3c78d21e16f5af…
	https://git.kernel.org/stable/c/338e388c0d80ffc04…
	https://git.kernel.org/stable/c/4f335cb8fad69b2be…
	https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f…
	https://git.kernel.org/stable/c/78b4d6463e9e69e51…

Impacted products

Vendor

Product

Version

Linux

Affected: 4077798484459a2eced2050045099a466ecb618a , < 37289a18099fc7ce916933bd542926a7334791a3 (git)
Affected: 4077798484459a2eced2050045099a466ecb618a , < 489b2158aec92a3fc256d70992416869f86e16e0 (git)
Affected: 4077798484459a2eced2050045099a466ecb618a , < 1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a (git)
Affected: 4077798484459a2eced2050045099a466ecb618a , < 9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0 (git)
Affected: 4077798484459a2eced2050045099a466ecb618a , < 338e388c0d80ffc04963b6b0ec702ffdfd2c4eba (git)
Affected: 4077798484459a2eced2050045099a466ecb618a , < 4f335cb8fad69b2be5accf0ebac3a8b345915f4e (git)
Affected: 4077798484459a2eced2050045099a466ecb618a , < 1f0ca9d3e7c38a39f1f12377c24decf0bba46e54 (git)
Affected: 4077798484459a2eced2050045099a466ecb618a , < 78b4d6463e9e69e5103f98b367f8984ad12cdc6f (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vgem/vgem_fence.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "37289a18099fc7ce916933bd542926a7334791a3",
              "status": "affected",
              "version": "4077798484459a2eced2050045099a466ecb618a",
              "versionType": "git"
            },
            {
              "lessThan": "489b2158aec92a3fc256d70992416869f86e16e0",
              "status": "affected",
              "version": "4077798484459a2eced2050045099a466ecb618a",
              "versionType": "git"
            },
            {
              "lessThan": "1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a",
              "status": "affected",
              "version": "4077798484459a2eced2050045099a466ecb618a",
              "versionType": "git"
            },
            {
              "lessThan": "9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0",
              "status": "affected",
              "version": "4077798484459a2eced2050045099a466ecb618a",
              "versionType": "git"
            },
            {
              "lessThan": "338e388c0d80ffc04963b6b0ec702ffdfd2c4eba",
              "status": "affected",
              "version": "4077798484459a2eced2050045099a466ecb618a",
              "versionType": "git"
            },
            {
              "lessThan": "4f335cb8fad69b2be5accf0ebac3a8b345915f4e",
              "status": "affected",
              "version": "4077798484459a2eced2050045099a466ecb618a",
              "versionType": "git"
            },
            {
              "lessThan": "1f0ca9d3e7c38a39f1f12377c24decf0bba46e54",
              "status": "affected",
              "version": "4077798484459a2eced2050045099a466ecb618a",
              "versionType": "git"
            },
            {
              "lessThan": "78b4d6463e9e69e5103f98b367f8984ad12cdc6f",
              "status": "affected",
              "version": "4077798484459a2eced2050045099a466ecb618a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vgem/vgem_fence.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vgem-fence: Fix potential deadlock on release\n\nA timer that expires a vgem fence automatically in 10 seconds is now\nreleased with timer_delete_sync() from fence-\u003eops.release() called on last\ndma_fence_put().  In some scenarios, it can run in IRQ context, which is\nnot safe unless TIMER_IRQSAFE is used.  One potentially risky scenario was\ndemonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while\nworking on new IGT subtests syncobj_timeline@stress-* as user space\nreplacements of some problematic test cases of a dma-fence-chain selftest\n[1].\n\n[117.004338] ================================\n[117.004340] WARNING: inconsistent lock state\n[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S   U\n[117.004346] --------------------------------\n[117.004347] inconsistent {HARDIRQ-ON-W} -\u003e {IN-HARDIRQ-W} usage.\n[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:\n[117.004352] ffff888138f86aa8 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190\n[117.004361] {HARDIRQ-ON-W} state was registered at:\n[117.004363]   lock_acquire+0xc4/0x2e0\n[117.004366]   call_timer_fn+0x80/0x2a0\n[117.004368]   __run_timers+0x231/0x310\n[117.004370]   run_timer_softirq+0x76/0xe0\n[117.004372]   handle_softirqs+0xd4/0x4d0\n[117.004375]   __irq_exit_rcu+0x13f/0x160\n[117.004377]   irq_exit_rcu+0xe/0x20\n[117.004379]   sysvec_apic_timer_interrupt+0xa0/0xc0\n[117.004382]   asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[117.004385]   cpuidle_enter_state+0x12b/0x8a0\n[117.004388]   cpuidle_enter+0x2e/0x50\n[117.004393]   call_cpuidle+0x22/0x60\n[117.004395]   do_idle+0x1fd/0x260\n[117.004398]   cpu_startup_entry+0x29/0x30\n[117.004401]   start_secondary+0x12d/0x160\n[117.004404]   common_startup_64+0x13e/0x141\n[117.004407] irq event stamp: 2282669\n[117.004409] hardirqs last  enabled at (2282668): [\u003cffffffff8289db71\u003e] _raw_spin_unlock_irqrestore+0x51/0x80\n[117.004414] hardirqs last disabled at (2282669): [\u003cffffffff82882021\u003e] sysvec_irq_work+0x11/0xc0\n[117.004419] softirqs last  enabled at (2254702): [\u003cffffffff8289fd00\u003e] __do_softirq+0x10/0x18\n[117.004423] softirqs last disabled at (2254725): [\u003cffffffff813d4ddf\u003e] __irq_exit_rcu+0x13f/0x160\n[117.004426]\nother info that might help us debug this:\n[117.004429]  Possible unsafe locking scenario:\n[117.004432]        CPU0\n[117.004433]        ----\n[117.004434]   lock((\u0026fence-\u003etimer));\n[117.004436]   \u003cInterrupt\u003e\n[117.004438]     lock((\u0026fence-\u003etimer));\n[117.004440]\n *** DEADLOCK ***\n[117.004443] 1 lock held by swapper/0/0:\n[117.004445]  #0: ffffc90000003d50 ((\u0026fence-\u003etimer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0\n[117.004450]\nstack backtrace:\n[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S   U              6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)\n[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER\n[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023\n[117.004456] Call Trace:\n[117.004456]  \u003cIRQ\u003e\n[117.004457]  dump_stack_lvl+0x91/0xf0\n[117.004460]  dump_stack+0x10/0x20\n[117.004461]  print_usage_bug.part.0+0x260/0x360\n[117.004463]  mark_lock+0x76e/0x9c0\n[117.004465]  ? register_lock_class+0x48/0x4a0\n[117.004467]  __lock_acquire+0xbc3/0x2860\n[117.004469]  lock_acquire+0xc4/0x2e0\n[117.004470]  ? __timer_delete_sync+0x4b/0x190\n[117.004472]  ? __timer_delete_sync+0x4b/0x190\n[117.004473]  __timer_delete_sync+0x68/0x190\n[117.004474]  ? __timer_delete_sync+0x4b/0x190\n[117.004475]  timer_delete_sync+0x10/0x20\n[117.004476]  vgem_fence_release+0x19/0x30 [vgem]\n[117.004478]  dma_fence_release+0xc1/0x3b0\n[117.004480]  ? dma_fence_release+0xa1/0x3b0\n[117.004481]  dma_fence_chain_release+0xe7/0x130\n[117.004483]  dma_fence_release+0xc1/0x3b0\n[117.004484]  ? _raw_spin_unlock_irqrestore+0x27/0x80\n[117.004485]  dma_fence_chain_irq_work+0x59/0x80\n[117.004487]  irq_work_single+0x75/0xa0\n[117.004490]  irq_work_r\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:44.021Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/37289a18099fc7ce916933bd542926a7334791a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/489b2158aec92a3fc256d70992416869f86e16e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/1026d1b0bd55e1be7ba0f9e9b1c9f6e02448f25a"
        },
        {
          "url": "https://git.kernel.org/stable/c/9dc3c78d21e16f5af1a9c3d11b4bd5276f891fe0"
        },
        {
          "url": "https://git.kernel.org/stable/c/338e388c0d80ffc04963b6b0ec702ffdfd2c4eba"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f335cb8fad69b2be5accf0ebac3a8b345915f4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f0ca9d3e7c38a39f1f12377c24decf0bba46e54"
        },
        {
          "url": "https://git.kernel.org/stable/c/78b4d6463e9e69e5103f98b367f8984ad12cdc6f"
        }
      ],
      "title": "drm/vgem-fence: Fix potential deadlock on release",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68757",
    "datePublished": "2026-01-05T09:32:30.496Z",
    "dateReserved": "2025-12-24T10:30:51.033Z",
    "dateUpdated": "2026-01-19T12:18:44.021Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68753 (GCVE-0-2025-68753)

Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-11 16:30

Title

ALSA: firewire-motu: add bounds check in put_user loop for DSP events

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-motu: add bounds check in put_user loop for DSP events In the DSP event handling code, a put_user() loop copies event data. When the user buffer size is not aligned to 4 bytes, it could overwrite beyond the buffer boundary. Fix by adding a bounds check before put_user().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ea2c921d9de6e32ca…
	https://git.kernel.org/stable/c/6d4f17782ce4facf3…
	https://git.kernel.org/stable/c/0d71b3c2ed742f1cc…
	https://git.kernel.org/stable/c/df692cf2b601a54b3…
	https://git.kernel.org/stable/c/8f9e51cf2a2a43d0c…
	https://git.kernel.org/stable/c/298e753880b6ea99a…

Impacted products

Vendor

Product

Version

Linux

Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < ea2c921d9de6e32ca50cb817b9d57bb881be70de (git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 6d4f17782ce4facf3197e79707df411ee3d7b30a (git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f (git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < df692cf2b601a54b34edfdb9e683d67483aa8ce1 (git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187 (git)
Affected: 634ec0b2906efd46f6f57977e172aa3470aca432 , < 298e753880b6ea99ac30df34959a7a03b0878eed (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/firewire/motu/motu-hwdep.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ea2c921d9de6e32ca50cb817b9d57bb881be70de",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            },
            {
              "lessThan": "6d4f17782ce4facf3197e79707df411ee3d7b30a",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            },
            {
              "lessThan": "0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            },
            {
              "lessThan": "df692cf2b601a54b34edfdb9e683d67483aa8ce1",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            },
            {
              "lessThan": "8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            },
            {
              "lessThan": "298e753880b6ea99ac30df34959a7a03b0878eed",
              "status": "affected",
              "version": "634ec0b2906efd46f6f57977e172aa3470aca432",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/firewire/motu/motu-hwdep.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: firewire-motu: add bounds check in put_user loop for DSP events\n\nIn the DSP event handling code, a put_user() loop copies event data.\nWhen the user buffer size is not aligned to 4 bytes, it could overwrite\nbeyond the buffer boundary.\n\nFix by adding a bounds check before put_user()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:30:24.526Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ea2c921d9de6e32ca50cb817b9d57bb881be70de"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d4f17782ce4facf3197e79707df411ee3d7b30a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d71b3c2ed742f1ccb3b0b7a61afb90c0251093f"
        },
        {
          "url": "https://git.kernel.org/stable/c/df692cf2b601a54b34edfdb9e683d67483aa8ce1"
        },
        {
          "url": "https://git.kernel.org/stable/c/8f9e51cf2a2a43d0cd72d3dc0b5ccea3f639c187"
        },
        {
          "url": "https://git.kernel.org/stable/c/298e753880b6ea99ac30df34959a7a03b0878eed"
        }
      ],
      "title": "ALSA: firewire-motu: add bounds check in put_user loop for DSP events",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68753",
    "datePublished": "2026-01-05T09:32:27.029Z",
    "dateReserved": "2025-12-24T10:30:51.033Z",
    "dateUpdated": "2026-01-11T16:30:24.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50671 (GCVE-0-2022-50671)

Vulnerability from cvelistv5 – Published: 2025-12-09 01:29 – Updated: 2025-12-09 01:29

Title

RDMA/rxe: Fix "kernel NULL pointer dereference" error

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix "kernel NULL pointer dereference" error When rxe_queue_init in the function rxe_qp_init_req fails, both qp->req.task.func and qp->req.task.arg are not initialized. Because of creation of qp fails, the function rxe_create_qp will call rxe_qp_do_cleanup to handle allocated resource. Before calling __rxe_do_task, both qp->req.task.func and qp->req.task.arg should be checked.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/48cd7098e71735cca…
	https://git.kernel.org/stable/c/eca119693010032d6…
	https://git.kernel.org/stable/c/9c5dd6993c794703e…
	https://git.kernel.org/stable/c/0d773c58d702f0a7c…
	https://git.kernel.org/stable/c/cdce36a88def55077…
	https://git.kernel.org/stable/c/f2f405af70e6f0419…
	https://git.kernel.org/stable/c/bb33fa65da77f5f02…
	https://git.kernel.org/stable/c/3b8752f086eb6865c…
	https://git.kernel.org/stable/c/a625ca30eff806395…

Impacted products

Vendor

Product

Version

Linux

Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 48cd7098e71735ccafa0b3cf27c53924f9cb5b2f (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < eca119693010032d6cc6e7e9b4fb2c363c7e12ce (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 9c5dd6993c794703e74c6ba17ac78ca0211ef940 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 0d773c58d702f0a7c16ee8d69617fd2c28350795 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < cdce36a88def550773142a34ef727a830cad96a8 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < f2f405af70e6f0419e718d23fa304798a5405c41 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < bb33fa65da77f5f02dbee6f25cebaeedfcd70028 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 3b8752f086eb6865cc3662ad13249b03024501e5 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < a625ca30eff806395175ebad3ac1399014bdb280 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 4.9.331 , ≤ 4.9.* (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "48cd7098e71735ccafa0b3cf27c53924f9cb5b2f",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "eca119693010032d6cc6e7e9b4fb2c363c7e12ce",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "9c5dd6993c794703e74c6ba17ac78ca0211ef940",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "0d773c58d702f0a7c16ee8d69617fd2c28350795",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "cdce36a88def550773142a34ef727a830cad96a8",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "f2f405af70e6f0419e718d23fa304798a5405c41",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "bb33fa65da77f5f02dbee6f25cebaeedfcd70028",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "3b8752f086eb6865cc3662ad13249b03024501e5",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "a625ca30eff806395175ebad3ac1399014bdb280",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.331",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.331",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix \"kernel NULL pointer dereference\" error\n\nWhen rxe_queue_init in the function rxe_qp_init_req fails,\nboth qp-\u003ereq.task.func and qp-\u003ereq.task.arg are not initialized.\n\nBecause of creation of qp fails, the function rxe_create_qp will\ncall rxe_qp_do_cleanup to handle allocated resource.\n\nBefore calling __rxe_do_task, both qp-\u003ereq.task.func and\nqp-\u003ereq.task.arg should be checked."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T01:29:22.950Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/48cd7098e71735ccafa0b3cf27c53924f9cb5b2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/eca119693010032d6cc6e7e9b4fb2c363c7e12ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c5dd6993c794703e74c6ba17ac78ca0211ef940"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d773c58d702f0a7c16ee8d69617fd2c28350795"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdce36a88def550773142a34ef727a830cad96a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2f405af70e6f0419e718d23fa304798a5405c41"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb33fa65da77f5f02dbee6f25cebaeedfcd70028"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b8752f086eb6865cc3662ad13249b03024501e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/a625ca30eff806395175ebad3ac1399014bdb280"
        }
      ],
      "title": "RDMA/rxe: Fix \"kernel NULL pointer dereference\" error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50671",
    "datePublished": "2025-12-09T01:29:22.950Z",
    "dateReserved": "2025-12-09T01:26:45.991Z",
    "dateUpdated": "2025-12-09T01:29:22.950Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-54142 (GCVE-0-2023-54142)

Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06

Title

gtp: Fix use-after-free in __gtp_encap_destroy().

Summary

In the Linux kernel, the following vulnerability has been resolved: gtp: Fix use-after-free in __gtp_encap_destroy(). syzkaller reported use-after-free in __gtp_encap_destroy(). [0] It shows the same process freed sk and touched it illegally. Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, but release_sock() is called after sock_put() releases the last refcnt. [0]: BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0xcc/0x620 mm/kasan/report.c:462 kasan_report+0xb2/0xe0 mm/kasan/report.c:572 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:186 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] release_sock+0x1f/0x1a0 net/core/sock.c:3526 gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 rtnl_delete_link net/core/rtnetlink.c:3216 [inline] rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b7/0x200 net/socket.c:747 ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f1168b1fe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 </TASK> Allocated by task 1483: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d38039697184aacff…
	https://git.kernel.org/stable/c/e5aa6d829831a55a6…
	https://git.kernel.org/stable/c/9c9662e2512b5e4ee…
	https://git.kernel.org/stable/c/bccc7ace12e69dee4…
	https://git.kernel.org/stable/c/ebd6d2077a0833291…
	https://git.kernel.org/stable/c/17d6b6354f0025b7c…
	https://git.kernel.org/stable/c/dae6095bdb24f537b…
	https://git.kernel.org/stable/c/58fa341327fdb4bdf…
	https://git.kernel.org/stable/c/ce3aee7114c575fab…

Impacted products

Vendor

Product

Version

Linux

Affected: 01f3c64e405ab3d25887d080a103ad76f30661d2 , < d38039697184aacff1cf576e14ef583112fdefef (git)
Affected: e117a04133c673cc54292e12086a8177cd9bd4a4 , < e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6 (git)
Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < 9c9662e2512b5e4ee7b03108802c5222e0fa77a4 (git)
Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < bccc7ace12e69dee4684a3bb4b69737972e570d6 (git)
Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < ebd6d2077a083329110695a996c00e8ca94bc640 (git)
Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < 17d6b6354f0025b7c10a56da783fd0cbb3819c5d (git)
Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < dae6095bdb24f537b4798ffd9201515b97bac94e (git)
Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < 58fa341327fdb4bdf92597fd8796a9abc8d20ea3 (git)
Affected: e198987e7dd7d3645a53875151cd6f8fc425b706 , < ce3aee7114c575fab32a5e9e939d4bbb3dcca79f (git)
Affected: bf75202df8e473d4ee914894542f213158066d8b (git)
Affected: 76357f65f18f180f44ccbbbf713461881d0ab219 (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 4.14.322 , ≤ 4.14.* (semver)
Unaffected: 4.19.291 , ≤ 4.19.* (semver)
Unaffected: 5.4.251 , ≤ 5.4.* (semver)
Unaffected: 5.10.188 , ≤ 5.10.* (semver)
Unaffected: 5.15.121 , ≤ 5.15.* (semver)
Unaffected: 6.1.39 , ≤ 6.1.* (semver)
Unaffected: 6.3.13 , ≤ 6.3.* (semver)
Unaffected: 6.4.4 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/gtp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d38039697184aacff1cf576e14ef583112fdefef",
              "status": "affected",
              "version": "01f3c64e405ab3d25887d080a103ad76f30661d2",
              "versionType": "git"
            },
            {
              "lessThan": "e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6",
              "status": "affected",
              "version": "e117a04133c673cc54292e12086a8177cd9bd4a4",
              "versionType": "git"
            },
            {
              "lessThan": "9c9662e2512b5e4ee7b03108802c5222e0fa77a4",
              "status": "affected",
              "version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
              "versionType": "git"
            },
            {
              "lessThan": "bccc7ace12e69dee4684a3bb4b69737972e570d6",
              "status": "affected",
              "version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
              "versionType": "git"
            },
            {
              "lessThan": "ebd6d2077a083329110695a996c00e8ca94bc640",
              "status": "affected",
              "version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
              "versionType": "git"
            },
            {
              "lessThan": "17d6b6354f0025b7c10a56da783fd0cbb3819c5d",
              "status": "affected",
              "version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
              "versionType": "git"
            },
            {
              "lessThan": "dae6095bdb24f537b4798ffd9201515b97bac94e",
              "status": "affected",
              "version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
              "versionType": "git"
            },
            {
              "lessThan": "58fa341327fdb4bdf92597fd8796a9abc8d20ea3",
              "status": "affected",
              "version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
              "versionType": "git"
            },
            {
              "lessThan": "ce3aee7114c575fab32a5e9e939d4bbb3dcca79f",
              "status": "affected",
              "version": "e198987e7dd7d3645a53875151cd6f8fc425b706",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bf75202df8e473d4ee914894542f213158066d8b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "76357f65f18f180f44ccbbbf713461881d0ab219",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/gtp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.322",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.251",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.188",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.322",
                  "versionStartIncluding": "4.14.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.291",
                  "versionStartIncluding": "4.19.61",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.251",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.188",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.121",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.39",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.13",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.4",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.1.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.2.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Fix use-after-free in __gtp_encap_destroy().\n\nsyzkaller reported use-after-free in __gtp_encap_destroy(). [0]\n\nIt shows the same process freed sk and touched it illegally.\n\nCommit e198987e7dd7 (\"gtp: fix suspicious RCU usage\") added lock_sock()\nand release_sock() in __gtp_encap_destroy() to protect sk-\u003esk_user_data,\nbut release_sock() is called after sock_put() releases the last refcnt.\n\n[0]:\nBUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\nBUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\nBUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\nBUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline]\nBUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\nBUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\nWrite of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401\n\nCPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:351 [inline]\n print_report+0xcc/0x620 mm/kasan/report.c:462\n kasan_report+0xb2/0xe0 mm/kasan/report.c:572\n check_region_inline mm/kasan/generic.c:181 [inline]\n kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187\n instrument_atomic_read_write include/linux/instrumented.h:96 [inline]\n atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]\n queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]\n do_raw_spin_lock include/linux/spinlock.h:186 [inline]\n __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]\n _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178\n spin_lock_bh include/linux/spinlock.h:355 [inline]\n release_sock+0x1f/0x1a0 net/core/sock.c:3526\n gtp_encap_disable_sock drivers/net/gtp.c:651 [inline]\n gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664\n gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728\n unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841\n rtnl_delete_link net/core/rtnetlink.c:3216 [inline]\n rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268\n rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423\n netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548\n netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]\n netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365\n netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913\n sock_sendmsg_nosec net/socket.c:724 [inline]\n sock_sendmsg+0x1b7/0x200 net/socket.c:747\n ____sys_sendmsg+0x75a/0x990 net/socket.c:2493\n ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547\n __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f1168b1fe5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d\nRDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003\nRBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000\n \u003c/TASK\u003e\n\nAllocated by task 1483:\n kasan_save_stack+0x22/0x50 mm/kasan/common.c:45\n kasan_set_track+0x25/0x30 mm/kasan/common.c:52\n __kasan_slab_alloc+0x\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T13:06:56.204Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d38039697184aacff1cf576e14ef583112fdefef"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5aa6d829831a55a693dbaeb58f8d22ba7f2b3e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c9662e2512b5e4ee7b03108802c5222e0fa77a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/bccc7ace12e69dee4684a3bb4b69737972e570d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebd6d2077a083329110695a996c00e8ca94bc640"
        },
        {
          "url": "https://git.kernel.org/stable/c/17d6b6354f0025b7c10a56da783fd0cbb3819c5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/dae6095bdb24f537b4798ffd9201515b97bac94e"
        },
        {
          "url": "https://git.kernel.org/stable/c/58fa341327fdb4bdf92597fd8796a9abc8d20ea3"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce3aee7114c575fab32a5e9e939d4bbb3dcca79f"
        }
      ],
      "title": "gtp: Fix use-after-free in __gtp_encap_destroy().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54142",
    "datePublished": "2025-12-24T13:06:56.204Z",
    "dateReserved": "2025-12-24T13:02:52.523Z",
    "dateUpdated": "2025-12-24T13:06:56.204Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40345 (GCVE-0-2025-40345)

Vulnerability from cvelistv5 – Published: 2025-12-12 17:53 – Updated: 2026-01-02 15:33

Title

usb: storage: sddr55: Reject out-of-bound new_pba

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: storage: sddr55: Reject out-of-bound new_pba Discovered by Atuin - Automated Vulnerability Discovery Engine. new_pba comes from the status packet returned after each write. A bogus device could report values beyond the block count derived from info->capacity, letting the driver walk off the end of pba_to_lba[] and corrupt heap memory. Reject PBAs that exceed the computed block count and fail the transfer so we avoid touching out-of-range mapping entries.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d00a6c04a502cd524…
	https://git.kernel.org/stable/c/26e9b5da3231da7dc…
	https://git.kernel.org/stable/c/aa64e0e17e3a5991a…
	https://git.kernel.org/stable/c/04a8a6393f3f2f471…
	https://git.kernel.org/stable/c/a20f1dd19d21dcb70…
	https://git.kernel.org/stable/c/5ebe8d479aaf4f41a…
	https://git.kernel.org/stable/c/b59d4fda7e7d0aff1…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d00a6c04a502cd52425dbf35588732c652b16490 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 26e9b5da3231da7dc357b363883b5b7b51a64092 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < aa64e0e17e3a5991a25e6a46007770c629039869 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 04a8a6393f3f2f471e05eacca33282dd30b01432 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5ebe8d479aaf4f41ac35e6955332304193c646f6 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b59d4fda7e7d0aff1043a7f742487cb829f5aac1 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/storage/sddr55.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d00a6c04a502cd52425dbf35588732c652b16490",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "26e9b5da3231da7dc357b363883b5b7b51a64092",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "aa64e0e17e3a5991a25e6a46007770c629039869",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "04a8a6393f3f2f471e05eacca33282dd30b01432",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5ebe8d479aaf4f41ac35e6955332304193c646f6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b59d4fda7e7d0aff1043a7f742487cb829f5aac1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/storage/sddr55.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: storage: sddr55: Reject out-of-bound new_pba\n\nDiscovered by Atuin - Automated Vulnerability Discovery Engine.\n\nnew_pba comes from the status packet returned after each write.\nA bogus device could report values beyond the block count derived\nfrom info-\u003ecapacity, letting the driver walk off the end of\npba_to_lba[] and corrupt heap memory.\n\nReject PBAs that exceed the computed block count and fail the\ntransfer so we avoid touching out-of-range mapping entries."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:43.244Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d00a6c04a502cd52425dbf35588732c652b16490"
        },
        {
          "url": "https://git.kernel.org/stable/c/26e9b5da3231da7dc357b363883b5b7b51a64092"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa64e0e17e3a5991a25e6a46007770c629039869"
        },
        {
          "url": "https://git.kernel.org/stable/c/04a8a6393f3f2f471e05eacca33282dd30b01432"
        },
        {
          "url": "https://git.kernel.org/stable/c/a20f1dd19d21dcb70140ea5a71b1f8cbe0c7e68f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ebe8d479aaf4f41ac35e6955332304193c646f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/b59d4fda7e7d0aff1043a7f742487cb829f5aac1"
        }
      ],
      "title": "usb: storage: sddr55: Reject out-of-bound new_pba",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40345",
    "datePublished": "2025-12-12T17:53:06.853Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2026-01-02T15:33:43.244Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40167 (GCVE-0-2025-40167)

Vulnerability from cvelistv5 – Published: 2025-11-12 10:26 – Updated: 2026-01-02 15:33

Title

ext4: detect invalid INLINE_DATA + EXTENTS flag combination

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4954d297c91d29263…
	https://git.kernel.org/stable/c/f061f7c331fc16250…
	https://git.kernel.org/stable/c/2e9e10657b04152ed…
	https://git.kernel.org/stable/c/1437c95ab2a28b138…
	https://git.kernel.org/stable/c/cb6039b68efa547b6…
	https://git.kernel.org/stable/c/de985264eef64be8a…
	https://git.kernel.org/stable/c/1f5ccd22ff4826391…
	https://git.kernel.org/stable/c/1d3ad183943b38eec…

Impacted products

Vendor

Product

Version

Linux

Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 4954d297c91d292630ab43ba4d195dc371ce65d3 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < f061f7c331fc16250fc82aa68964f35821687217 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 2e9e10657b04152ed0d6ecae8d0c02a3405e28f5 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 1437c95ab2a28b138d4521653583729f61ccb48b (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < cb6039b68efa547b676a8a10fc4618d9d1865c23 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < de985264eef64be8a90595908f2e6a87946dad34 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 1f5ccd22ff482639133f2a0fe08f6d19d0e68717 (git)
Affected: f19d5870cbf72d4cb2a8e1f749dff97af99b071e , < 1d3ad183943b38eec2acf72a0ae98e635dc8456b (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.196 , ≤ 5.15.* (semver)
Unaffected: 6.1.158 , ≤ 6.1.* (semver)
Unaffected: 6.6.114 , ≤ 6.6.* (semver)
Unaffected: 6.12.55 , ≤ 6.12.* (semver)
Unaffected: 6.17.5 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4954d297c91d292630ab43ba4d195dc371ce65d3",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "f061f7c331fc16250fc82aa68964f35821687217",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "2e9e10657b04152ed0d6ecae8d0c02a3405e28f5",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "1437c95ab2a28b138d4521653583729f61ccb48b",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "cb6039b68efa547b676a8a10fc4618d9d1865c23",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "de985264eef64be8a90595908f2e6a87946dad34",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "1f5ccd22ff482639133f2a0fe08f6d19d0e68717",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            },
            {
              "lessThan": "1d3ad183943b38eec2acf72a0ae98e635dc8456b",
              "status": "affected",
              "version": "f19d5870cbf72d4cb2a8e1f749dff97af99b071e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.114",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.114",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.55",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.5",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: detect invalid INLINE_DATA + EXTENTS flag combination\n\nsyzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity\nfile on a corrupted ext4 filesystem mounted without a journal.\n\nThe issue is that the filesystem has an inode with both the INLINE_DATA\nand EXTENTS flags set:\n\n    EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15:\n    comm syz.0.17: corrupted extent tree: lblk 0 \u003c prev 66\n\nInvestigation revealed that the inode has both flags set:\n    DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1\n\nThis is an invalid combination since an inode should have either:\n- INLINE_DATA: data stored directly in the inode\n- EXTENTS: data stored in extent-mapped blocks\n\nHaving both flags causes ext4_has_inline_data() to return true, skipping\nextent tree validation in __ext4_iget(). The unvalidated out-of-order\nextents then trigger a BUG_ON in ext4_es_cache_extent() due to integer\nunderflow when calculating hole sizes.\n\nFix this by detecting this invalid flag combination early in ext4_iget()\nand rejecting the corrupted inode."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:06.804Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4954d297c91d292630ab43ba4d195dc371ce65d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/f061f7c331fc16250fc82aa68964f35821687217"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e9e10657b04152ed0d6ecae8d0c02a3405e28f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1437c95ab2a28b138d4521653583729f61ccb48b"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb6039b68efa547b676a8a10fc4618d9d1865c23"
        },
        {
          "url": "https://git.kernel.org/stable/c/de985264eef64be8a90595908f2e6a87946dad34"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f5ccd22ff482639133f2a0fe08f6d19d0e68717"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d3ad183943b38eec2acf72a0ae98e635dc8456b"
        }
      ],
      "title": "ext4: detect invalid INLINE_DATA + EXTENTS flag combination",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40167",
    "datePublished": "2025-11-12T10:26:24.498Z",
    "dateReserved": "2025-04-16T07:20:57.176Z",
    "dateUpdated": "2026-01-02T15:33:06.804Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50731 (GCVE-0-2022-50731)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22

Title

crypto: akcipher - default implementation for setting a private key

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: akcipher - default implementation for setting a private key Changes from v1: * removed the default implementation from set_pub_key: it is assumed that an implementation must always have this callback defined as there are no use case for an algorithm, which doesn't need a public key Many akcipher implementations (like ECDSA) support only signature verifications, so they don't have all callbacks defined. Commit 78a0324f4a53 ("crypto: akcipher - default implementations for request callbacks") introduced default callbacks for sign/verify operations, which just return an error code. However, these are not enough, because before calling sign the caller would likely call set_priv_key first on the instantiated transform (as the in-kernel testmgr does). This function does not have a default stub, so the kernel crashes, when trying to set a private key on an akcipher, which doesn't support signature generation. I've noticed this, when trying to add a KAT vector for ECDSA signature to the testmgr. With this patch the testmgr returns an error in dmesg (as it should) instead of crashing the kernel NULL ptr dereference.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/95c4e20adc3ea00d1…
	https://git.kernel.org/stable/c/a1354bdd191d53321…
	https://git.kernel.org/stable/c/779a9930f3e152c82…
	https://git.kernel.org/stable/c/85bc736a18b872f54…
	https://git.kernel.org/stable/c/f9058178597059d63…
	https://git.kernel.org/stable/c/bc155c6c188c2f0c5…

Impacted products

Vendor

Product

Version

Linux

Affected: 78a0324f4a5328088fea9426cfe1d1851276c475 , < 95c4e20adc3ea00d1594a2a05d9b187ed12ffa8e (git)
Affected: 78a0324f4a5328088fea9426cfe1d1851276c475 , < a1354bdd191d533211b7cb723aa76a66f516f197 (git)
Affected: 78a0324f4a5328088fea9426cfe1d1851276c475 , < 779a9930f3e152c82699feb389a0e6d6644e747e (git)
Affected: 78a0324f4a5328088fea9426cfe1d1851276c475 , < 85bc736a18b872f54912e8bb70682d11770aece0 (git)
Affected: 78a0324f4a5328088fea9426cfe1d1851276c475 , < f9058178597059d6307efe96a7916600f8ede08c (git)
Affected: 78a0324f4a5328088fea9426cfe1d1851276c475 , < bc155c6c188c2f0c5749993b1405673d25a80389 (git)

Linux

Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "crypto/akcipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "95c4e20adc3ea00d1594a2a05d9b187ed12ffa8e",
              "status": "affected",
              "version": "78a0324f4a5328088fea9426cfe1d1851276c475",
              "versionType": "git"
            },
            {
              "lessThan": "a1354bdd191d533211b7cb723aa76a66f516f197",
              "status": "affected",
              "version": "78a0324f4a5328088fea9426cfe1d1851276c475",
              "versionType": "git"
            },
            {
              "lessThan": "779a9930f3e152c82699feb389a0e6d6644e747e",
              "status": "affected",
              "version": "78a0324f4a5328088fea9426cfe1d1851276c475",
              "versionType": "git"
            },
            {
              "lessThan": "85bc736a18b872f54912e8bb70682d11770aece0",
              "status": "affected",
              "version": "78a0324f4a5328088fea9426cfe1d1851276c475",
              "versionType": "git"
            },
            {
              "lessThan": "f9058178597059d6307efe96a7916600f8ede08c",
              "status": "affected",
              "version": "78a0324f4a5328088fea9426cfe1d1851276c475",
              "versionType": "git"
            },
            {
              "lessThan": "bc155c6c188c2f0c5749993b1405673d25a80389",
              "status": "affected",
              "version": "78a0324f4a5328088fea9426cfe1d1851276c475",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "crypto/akcipher.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: akcipher - default implementation for setting a private key\n\nChanges from v1:\n  * removed the default implementation from set_pub_key: it is assumed that\n    an implementation must always have this callback defined as there are\n    no use case for an algorithm, which doesn\u0027t need a public key\n\nMany akcipher implementations (like ECDSA) support only signature\nverifications, so they don\u0027t have all callbacks defined.\n\nCommit 78a0324f4a53 (\"crypto: akcipher - default implementations for\nrequest callbacks\") introduced default callbacks for sign/verify\noperations, which just return an error code.\n\nHowever, these are not enough, because before calling sign the caller would\nlikely call set_priv_key first on the instantiated transform (as the\nin-kernel testmgr does). This function does not have a default stub, so the\nkernel crashes, when trying to set a private key on an akcipher, which\ndoesn\u0027t support signature generation.\n\nI\u0027ve noticed this, when trying to add a KAT vector for ECDSA signature to\nthe testmgr.\n\nWith this patch the testmgr returns an error in dmesg (as it should)\ninstead of crashing the kernel NULL ptr dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:22:51.122Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/95c4e20adc3ea00d1594a2a05d9b187ed12ffa8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1354bdd191d533211b7cb723aa76a66f516f197"
        },
        {
          "url": "https://git.kernel.org/stable/c/779a9930f3e152c82699feb389a0e6d6644e747e"
        },
        {
          "url": "https://git.kernel.org/stable/c/85bc736a18b872f54912e8bb70682d11770aece0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9058178597059d6307efe96a7916600f8ede08c"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc155c6c188c2f0c5749993b1405673d25a80389"
        }
      ],
      "title": "crypto: akcipher - default implementation for setting a private key",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50731",
    "datePublished": "2025-12-24T12:22:51.122Z",
    "dateReserved": "2025-12-24T12:20:40.331Z",
    "dateUpdated": "2025-12-24T12:22:51.122Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40212 (GCVE-0-2025-40212)

Vulnerability from cvelistv5 – Published: 2025-11-24 13:04 – Updated: 2025-12-01 06:20

Title

nfsd: fix refcount leak in nfsd_set_fh_dentry()

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still stores the export in "struct svc_fh" even though it also drops the reference (exp_put()). This means that when fh_put() is called an extra reference will be dropped which can lead to use-after-free and possible denial of service. Normal NFS usage will not provide a pseudo-root filehandle to a v3 client. This bug can only be triggered by the client synthesising an incorrect filehandle. To fix this we move the assignments to the svc_fh later, after all possible error cases have been detected.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b6bc86ce3944b10b9…
	https://git.kernel.org/stable/c/c83d7365cec5eb5eb…
	https://git.kernel.org/stable/c/8a7348a9ed70bda1c…

Impacted products

Vendor

Product

Version

Linux

Affected: ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444 , < b6bc86ce3944b10b9fc181fc00c1a520a20ed965 (git)
Affected: ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444 , < c83d7365cec5eb5ebeeee2a72e29b4ca58a7e4c2 (git)
Affected: ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444 , < 8a7348a9ed70bda1c1f51d3f1815bcbdf9f3b38c (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfsfh.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b6bc86ce3944b10b9fc181fc00c1a520a20ed965",
              "status": "affected",
              "version": "ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444",
              "versionType": "git"
            },
            {
              "lessThan": "c83d7365cec5eb5ebeeee2a72e29b4ca58a7e4c2",
              "status": "affected",
              "version": "ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444",
              "versionType": "git"
            },
            {
              "lessThan": "8a7348a9ed70bda1c1f51d3f1815bcbdf9f3b38c",
              "status": "affected",
              "version": "ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfsfh.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix refcount leak in nfsd_set_fh_dentry()\n\nnfsd exports a \"pseudo root filesystem\" which is used by NFSv4 to find\nthe various exported filesystems using LOOKUP requests from a known root\nfilehandle.  NFSv3 uses the MOUNT protocol to find those exported\nfilesystems and so is not given access to the pseudo root filesystem.\n\nIf a v3 (or v2) client uses a filehandle from that filesystem,\nnfsd_set_fh_dentry() will report an error, but still stores the export\nin \"struct svc_fh\" even though it also drops the reference (exp_put()).\nThis means that when fh_put() is called an extra reference will be dropped\nwhich can lead to use-after-free and possible denial of service.\n\nNormal NFS usage will not provide a pseudo-root filehandle to a v3\nclient.  This bug can only be triggered by the client synthesising an\nincorrect filehandle.\n\nTo fix this we move the assignments to the svc_fh later, after all\npossible error cases have been detected."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:20:17.962Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b6bc86ce3944b10b9fc181fc00c1a520a20ed965"
        },
        {
          "url": "https://git.kernel.org/stable/c/c83d7365cec5eb5ebeeee2a72e29b4ca58a7e4c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/8a7348a9ed70bda1c1f51d3f1815bcbdf9f3b38c"
        }
      ],
      "title": "nfsd: fix refcount leak in nfsd_set_fh_dentry()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40212",
    "datePublished": "2025-11-24T13:04:20.888Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2025-12-01T06:20:17.962Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40250 (GCVE-0-2025-40250)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-04 16:08

Title

net/mlx5: Clean up only new IRQ glue on request_irq() failure

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clean up only new IRQ glue on request_irq() failure The mlx5_irq_alloc() function can inadvertently free the entire rmap and end up in a crash[1] when the other threads tries to access this, when request_irq() fails due to exhausted IRQ vectors. This commit modifies the cleanup to remove only the specific IRQ mapping that was just added. This prevents removal of other valid mappings and ensures precise cleanup of the failed IRQ allocation's associated glue object. Note: This error is observed when both fwctl and rds configs are enabled. [1] mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1 mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1 mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1 mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1 mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to request irq. err = -28 mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to request irq. err = -28 general protection fault, probably for non-canonical address 0xe277a58fde16f291: 0000 [#1] SMP NOPTI RIP: 0010:free_irq_cpu_rmap+0x23/0x7d Call Trace: <TASK> ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] ? __die_body.cold+0x8/0xa ? die_addr+0x39/0x53 ? exc_general_protection+0x1c4/0x3e9 ? dev_vprintk_emit+0x5f/0x90 ? asm_exc_general_protection+0x22/0x27 ? free_irq_cpu_rmap+0x23/0x7d mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] irq_pool_request_vector+0x7d/0x90 [mlx5_core] mlx5_irq_request+0x2e/0xe0 [mlx5_core] mlx5_irq_request_vector+0xad/0xf7 [mlx5_core] comp_irq_request_pci+0x64/0xf0 [mlx5_core] create_comp_eq+0x71/0x385 [mlx5_core] ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core] mlx5_comp_eqn_get+0x72/0x90 [mlx5_core] ? xas_load+0x8/0x91 mlx5_comp_irqn_get+0x40/0x90 [mlx5_core] mlx5e_open_channel+0x7d/0x3c7 [mlx5_core] mlx5e_open_channels+0xad/0x250 [mlx5_core] mlx5e_open_locked+0x3e/0x110 [mlx5_core] mlx5e_open+0x23/0x70 [mlx5_core] __dev_open+0xf1/0x1a5 __dev_change_flags+0x1e1/0x249 dev_change_flags+0x21/0x5c do_setlink+0x28b/0xcc4 ? __nla_parse+0x22/0x3d ? inet6_validate_link_af+0x6b/0x108 ? cpumask_next+0x1f/0x35 ? __snmp6_fill_stats64.constprop.0+0x66/0x107 ? __nla_validate_parse+0x48/0x1e6 __rtnl_newlink+0x5ff/0xa57 ? kmem_cache_alloc_trace+0x164/0x2ce rtnl_newlink+0x44/0x6e rtnetlink_rcv_msg+0x2bb/0x362 ? __netlink_sendskb+0x4c/0x6c ? netlink_unicast+0x28f/0x2ce ? rtnl_calcit.isra.0+0x150/0x146 netlink_rcv_skb+0x5f/0x112 netlink_unicast+0x213/0x2ce netlink_sendmsg+0x24f/0x4d9 __sock_sendmsg+0x65/0x6a ____sys_sendmsg+0x28f/0x2c9 ? import_iovec+0x17/0x2b ___sys_sendmsg+0x97/0xe0 __sys_sendmsg+0x81/0xd8 do_syscall_64+0x35/0x87 entry_SYSCALL_64_after_hwframe+0x6e/0x0 RIP: 0033:0x7fc328603727 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48 RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727 RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00000000000 ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/69e043bce09c9a77e…
	https://git.kernel.org/stable/c/6ebd02cf2dde11b86…
	https://git.kernel.org/stable/c/4d6b4bea8b80bfa13…
	https://git.kernel.org/stable/c/d47515af6cccd7484…

Impacted products

Vendor

Product

Version

Linux

Affected: 3354822cde5a9f72aa725b3c619188b149a71a33 , < 69e043bce09c9a77e5f55b9ac7505874a2a1a9f0 (git)
Affected: 3354822cde5a9f72aa725b3c619188b149a71a33 , < 6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee (git)
Affected: 3354822cde5a9f72aa725b3c619188b149a71a33 , < 4d6b4bea8b80bfa13c903ba547538249e7c5e977 (git)
Affected: 3354822cde5a9f72aa725b3c619188b149a71a33 , < d47515af6cccd7484d8b0870376858c9848a18ec (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "69e043bce09c9a77e5f55b9ac7505874a2a1a9f0",
              "status": "affected",
              "version": "3354822cde5a9f72aa725b3c619188b149a71a33",
              "versionType": "git"
            },
            {
              "lessThan": "6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee",
              "status": "affected",
              "version": "3354822cde5a9f72aa725b3c619188b149a71a33",
              "versionType": "git"
            },
            {
              "lessThan": "4d6b4bea8b80bfa13c903ba547538249e7c5e977",
              "status": "affected",
              "version": "3354822cde5a9f72aa725b3c619188b149a71a33",
              "versionType": "git"
            },
            {
              "lessThan": "d47515af6cccd7484d8b0870376858c9848a18ec",
              "status": "affected",
              "version": "3354822cde5a9f72aa725b3c619188b149a71a33",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Clean up only new IRQ glue on request_irq() failure\n\nThe mlx5_irq_alloc() function can inadvertently free the entire rmap\nand end up in a crash[1] when the other threads tries to access this,\nwhen request_irq() fails due to exhausted IRQ vectors. This commit\nmodifies the cleanup to remove only the specific IRQ mapping that was\njust added.\n\nThis prevents removal of other valid mappings and ensures precise\ncleanup of the failed IRQ allocation\u0027s associated glue object.\n\nNote: This error is observed when both fwctl and rds configs are enabled.\n\n[1]\nmlx5_core 0000:05:00.0: Successfully registered panic handler for port 1\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\nrequest irq. err = -28\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\ntrying to test write-combining support\nmlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1\nmlx5_core 0000:06:00.0: Successfully registered panic handler for port 1\nmlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to\nrequest irq. err = -28\ninfiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while\ntrying to test write-combining support\nmlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1\nmlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\nrequest irq. err = -28\nmlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to\nrequest irq. err = -28\ngeneral protection fault, probably for non-canonical address\n0xe277a58fde16f291: 0000 [#1] SMP NOPTI\n\nRIP: 0010:free_irq_cpu_rmap+0x23/0x7d\nCall Trace:\n   \u003cTASK\u003e\n   ? show_trace_log_lvl+0x1d6/0x2f9\n   ? show_trace_log_lvl+0x1d6/0x2f9\n   ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\n   ? __die_body.cold+0x8/0xa\n   ? die_addr+0x39/0x53\n   ? exc_general_protection+0x1c4/0x3e9\n   ? dev_vprintk_emit+0x5f/0x90\n   ? asm_exc_general_protection+0x22/0x27\n   ? free_irq_cpu_rmap+0x23/0x7d\n   mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core]\n   irq_pool_request_vector+0x7d/0x90 [mlx5_core]\n   mlx5_irq_request+0x2e/0xe0 [mlx5_core]\n   mlx5_irq_request_vector+0xad/0xf7 [mlx5_core]\n   comp_irq_request_pci+0x64/0xf0 [mlx5_core]\n   create_comp_eq+0x71/0x385 [mlx5_core]\n   ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core]\n   mlx5_comp_eqn_get+0x72/0x90 [mlx5_core]\n   ? xas_load+0x8/0x91\n   mlx5_comp_irqn_get+0x40/0x90 [mlx5_core]\n   mlx5e_open_channel+0x7d/0x3c7 [mlx5_core]\n   mlx5e_open_channels+0xad/0x250 [mlx5_core]\n   mlx5e_open_locked+0x3e/0x110 [mlx5_core]\n   mlx5e_open+0x23/0x70 [mlx5_core]\n   __dev_open+0xf1/0x1a5\n   __dev_change_flags+0x1e1/0x249\n   dev_change_flags+0x21/0x5c\n   do_setlink+0x28b/0xcc4\n   ? __nla_parse+0x22/0x3d\n   ? inet6_validate_link_af+0x6b/0x108\n   ? cpumask_next+0x1f/0x35\n   ? __snmp6_fill_stats64.constprop.0+0x66/0x107\n   ? __nla_validate_parse+0x48/0x1e6\n   __rtnl_newlink+0x5ff/0xa57\n   ? kmem_cache_alloc_trace+0x164/0x2ce\n   rtnl_newlink+0x44/0x6e\n   rtnetlink_rcv_msg+0x2bb/0x362\n   ? __netlink_sendskb+0x4c/0x6c\n   ? netlink_unicast+0x28f/0x2ce\n   ? rtnl_calcit.isra.0+0x150/0x146\n   netlink_rcv_skb+0x5f/0x112\n   netlink_unicast+0x213/0x2ce\n   netlink_sendmsg+0x24f/0x4d9\n   __sock_sendmsg+0x65/0x6a\n   ____sys_sendmsg+0x28f/0x2c9\n   ? import_iovec+0x17/0x2b\n   ___sys_sendmsg+0x97/0xe0\n   __sys_sendmsg+0x81/0xd8\n   do_syscall_64+0x35/0x87\n   entry_SYSCALL_64_after_hwframe+0x6e/0x0\nRIP: 0033:0x7fc328603727\nCode: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed\nff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 \u003c48\u003e 3d 00\nf0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48\nRSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727\nRDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d\nRBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\nR13: 00000000000\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T16:08:12.984Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/69e043bce09c9a77e5f55b9ac7505874a2a1a9f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ebd02cf2dde11b86f89ea4c9f55179eab30d4ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d6b4bea8b80bfa13c903ba547538249e7c5e977"
        },
        {
          "url": "https://git.kernel.org/stable/c/d47515af6cccd7484d8b0870376858c9848a18ec"
        }
      ],
      "title": "net/mlx5: Clean up only new IRQ glue on request_irq() failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40250",
    "datePublished": "2025-12-04T16:08:12.984Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-04T16:08:12.984Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68339 (GCVE-0-2025-68339)

Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58

Title

atm/fore200e: Fix possible data race in fore200e_open()

Summary

In the Linux kernel, the following vulnerability has been resolved: atm/fore200e: Fix possible data race in fore200e_open() Protect access to fore200e->available_cell_rate with rate_mtx lock in the error handling path of fore200e_open() to prevent a data race. The field fore200e->available_cell_rate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200e_open(), fore200e_close(), and fore200e_change_qos(). In fore200e_open(), the lock rate_mtx is correctly held when subtracting vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth. However, if the subsequent call to fore200e_activate_vcin() fails, the function restores the reserved bandwidth by adding back to available_cell_rate without holding the lock. This introduces a race condition because available_cell_rate is a global device resource shared across all VCCs. If the error path in fore200e_open() executes concurrently with operations like fore200e_close() or fore200e_change_qos() on other VCCs, a read-modify-write race occurs. Specifically, the error path reads the rate without the lock. If another CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in fore200e_close()) between this read and the subsequent write, the error path will overwrite the concurrent update with a stale value. This results in incorrect bandwidth accounting.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1b60f42a639999c37…
	https://git.kernel.org/stable/c/bd1415efbab507b9b…
	https://git.kernel.org/stable/c/ed34c70d88e2b8b9b…
	https://git.kernel.org/stable/c/9917ba597cf95f307…
	https://git.kernel.org/stable/c/667ac868823224374…
	https://git.kernel.org/stable/c/6610361458e7eb650…
	https://git.kernel.org/stable/c/82fca3d8a4a34667f…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bd1415efbab507b9b995918105eef953013449dd (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9917ba597cf95f307778e495f71ff25a5064d167 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 667ac868823224374f819500adc5baa2889c7bc5 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6610361458e7eb6502dd3182f586f91fcc218039 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 82fca3d8a4a34667f01ec2351a607135249c9cff (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/atm/fore200e.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bd1415efbab507b9b995918105eef953013449dd",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9917ba597cf95f307778e495f71ff25a5064d167",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "667ac868823224374f819500adc5baa2889c7bc5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6610361458e7eb6502dd3182f586f91fcc218039",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "82fca3d8a4a34667f01ec2351a607135249c9cff",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/atm/fore200e.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\natm/fore200e: Fix possible data race in fore200e_open()\n\nProtect access to fore200e-\u003eavailable_cell_rate with rate_mtx lock in the\nerror handling path of fore200e_open() to prevent a data race.\n\nThe field fore200e-\u003eavailable_cell_rate is a shared resource used to track\navailable bandwidth. It is concurrently accessed by fore200e_open(),\nfore200e_close(), and fore200e_change_qos().\n\nIn fore200e_open(), the lock rate_mtx is correctly held when subtracting\nvcc-\u003eqos.txtp.max_pcr from available_cell_rate to reserve bandwidth.\nHowever, if the subsequent call to fore200e_activate_vcin() fails, the\nfunction restores the reserved bandwidth by adding back to\navailable_cell_rate without holding the lock.\n\nThis introduces a race condition because available_cell_rate is a global\ndevice resource shared across all VCCs. If the error path in\nfore200e_open() executes concurrently with operations like\nfore200e_close() or fore200e_change_qos() on other VCCs, a\nread-modify-write race occurs.\n\nSpecifically, the error path reads the rate without the lock. If another\nCPU acquires the lock and modifies the rate (e.g., releasing bandwidth in\nfore200e_close()) between this read and the subsequent write, the error\npath will overwrite the concurrent update with a stale value. This results\nin incorrect bandwidth accounting."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:58:24.955Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1b60f42a639999c37da7f1fbfa1ad29cf4cbdd2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd1415efbab507b9b995918105eef953013449dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed34c70d88e2b8b9bc6c3ede88751186d6c6d5d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/9917ba597cf95f307778e495f71ff25a5064d167"
        },
        {
          "url": "https://git.kernel.org/stable/c/667ac868823224374f819500adc5baa2889c7bc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6610361458e7eb6502dd3182f586f91fcc218039"
        },
        {
          "url": "https://git.kernel.org/stable/c/82fca3d8a4a34667f01ec2351a607135249c9cff"
        }
      ],
      "title": "atm/fore200e: Fix possible data race in fore200e_open()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68339",
    "datePublished": "2025-12-23T13:58:24.955Z",
    "dateReserved": "2025-12-16T14:48:05.297Z",
    "dateUpdated": "2025-12-23T13:58:24.955Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68242 (GCVE-0-2025-68242)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:21 – Updated: 2025-12-16 14:21

Title

NFS: Fix LTP test failures when timestamps are delegated

Summary

In the Linux kernel, the following vulnerability has been resolved: NFS: Fix LTP test failures when timestamps are delegated The utimes01 and utime06 tests fail when delegated timestamps are enabled, specifically in subtests that modify the atime and mtime fields using the 'nobody' user ID. The problem can be reproduced as follow: # echo "/media *(rw,no_root_squash,sync)" >> /etc/exports # export -ra # mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir # cd /opt/ltp # ./runltp -d /tmpdir -s utimes01 # ./runltp -d /tmpdir -s utime06 This issue occurs because nfs_setattr does not verify the inode's UID against the caller's fsuid when delegated timestamps are permitted for the inode. This patch adds the UID check and if it does not match then the request is sent to the server for permission checking.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b2e4cda71ed062c87…
	https://git.kernel.org/stable/c/0e9be902041c6b9f0…
	https://git.kernel.org/stable/c/b623390045a81fc55…

Impacted products

Vendor

Product

Version

Linux

Affected: e12912d94137ab36ee704a91f465ff15c8b423da , < b2e4cda71ed062c87573b016d2d956a62f4258ed (git)
Affected: e12912d94137ab36ee704a91f465ff15c8b423da , < 0e9be902041c6b9f0ed4b72764187eed1067a42f (git)
Affected: e12912d94137ab36ee704a91f465ff15c8b423da , < b623390045a81fc559decb9bfeb79319721d3dfb (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b2e4cda71ed062c87573b016d2d956a62f4258ed",
              "status": "affected",
              "version": "e12912d94137ab36ee704a91f465ff15c8b423da",
              "versionType": "git"
            },
            {
              "lessThan": "0e9be902041c6b9f0ed4b72764187eed1067a42f",
              "status": "affected",
              "version": "e12912d94137ab36ee704a91f465ff15c8b423da",
              "versionType": "git"
            },
            {
              "lessThan": "b623390045a81fc559decb9bfeb79319721d3dfb",
              "status": "affected",
              "version": "e12912d94137ab36ee704a91f465ff15c8b423da",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix LTP test failures when timestamps are delegated\n\nThe utimes01 and utime06 tests fail when delegated timestamps are\nenabled, specifically in subtests that modify the atime and mtime\nfields using the \u0027nobody\u0027 user ID.\n\nThe problem can be reproduced as follow:\n\n# echo \"/media *(rw,no_root_squash,sync)\" \u003e\u003e /etc/exports\n# export -ra\n# mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir\n# cd /opt/ltp\n# ./runltp -d /tmpdir -s utimes01\n# ./runltp -d /tmpdir -s utime06\n\nThis issue occurs because nfs_setattr does not verify the inode\u0027s\nUID against the caller\u0027s fsuid when delegated timestamps are\npermitted for the inode.\n\nThis patch adds the UID check and if it does not match then the\nrequest is sent to the server for permission checking."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T14:21:19.558Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b2e4cda71ed062c87573b016d2d956a62f4258ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e9be902041c6b9f0ed4b72764187eed1067a42f"
        },
        {
          "url": "https://git.kernel.org/stable/c/b623390045a81fc559decb9bfeb79319721d3dfb"
        }
      ],
      "title": "NFS: Fix LTP test failures when timestamps are delegated",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68242",
    "datePublished": "2025-12-16T14:21:19.558Z",
    "dateReserved": "2025-12-16T13:41:40.263Z",
    "dateUpdated": "2025-12-16T14:21:19.558Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68306 (GCVE-0-2025-68306)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface When performing reset tests and encountering abnormal card drop issues that lead to a kernel crash, it is necessary to perform a null check before releasing resources to avoid attempting to release a null pointer. <4>[ 29.158070] Hardware name: Google Quigon sku196612/196613 board (DT) <4>[ 29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth] <4>[ 29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) <4>[ 29.158162] pc : klist_remove+0x90/0x158 <4>[ 29.158174] lr : klist_remove+0x88/0x158 <4>[ 29.158180] sp : ffffffc0846b3c00 <4>[ 29.158185] pmr_save: 000000e0 <4>[ 29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058 <4>[ 29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0 <4>[ 29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290 <4>[ 29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781 <4>[ 29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428 <4>[ 29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018 <4>[ 29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000 <4>[ 29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d <4>[ 29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e <4>[ 29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c <4>[ 29.158285] Call trace: <4>[ 29.158290] klist_remove+0x90/0x158 <4>[ 29.158298] device_release_driver_internal+0x20c/0x268 <4>[ 29.158308] device_release_driver+0x1c/0x30 <4>[ 29.158316] usb_driver_release_interface+0x70/0x88 <4>[ 29.158325] btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)] <4>[ 29.158347] btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)] <4>[ 29.158361] hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)] <4>[ 29.158430] process_scheduled_works+0x258/0x4e8 <4>[ 29.158441] worker_thread+0x300/0x428 <4>[ 29.158448] kthread+0x108/0x1d0 <4>[ 29.158455] ret_from_fork+0x10/0x20 <0>[ 29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297) <4>[ 29.158474] ---[ end trace 0000000000000000 ]--- <0>[ 29.167129] Kernel panic - not syncing: Oops: Fatal exception <2>[ 29.167144] SMP: stopping secondary CPUs <4>[ 29.167158] ------------[ cut here ]------------

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/421e88a0d85782786…
	https://git.kernel.org/stable/c/faae9f2ea8806f249…
	https://git.kernel.org/stable/c/4015b979767125cf8…

Impacted products

Vendor

Product

Version

Linux

Affected: ceac1cb0259de682d78f5c784ef8e0b13022e9d9 , < 421e88a0d85782786b7a1764c75518b4845e07b3 (git)
Affected: ceac1cb0259de682d78f5c784ef8e0b13022e9d9 , < faae9f2ea8806f2499186448adbf94689b47b82b (git)
Affected: ceac1cb0259de682d78f5c784ef8e0b13022e9d9 , < 4015b979767125cf8a2233a145a3b3af78bfd8fb (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/btusb.c",
            "include/net/bluetooth/hci_core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "421e88a0d85782786b7a1764c75518b4845e07b3",
              "status": "affected",
              "version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
              "versionType": "git"
            },
            {
              "lessThan": "faae9f2ea8806f2499186448adbf94689b47b82b",
              "status": "affected",
              "version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
              "versionType": "git"
            },
            {
              "lessThan": "4015b979767125cf8a2233a145a3b3af78bfd8fb",
              "status": "affected",
              "version": "ceac1cb0259de682d78f5c784ef8e0b13022e9d9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/btusb.c",
            "include/net/bluetooth/hci_core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface\n\nWhen performing reset tests and encountering abnormal card drop issues\nthat lead to a kernel crash, it is necessary to perform a null check\nbefore releasing resources to avoid attempting to release a null pointer.\n\n\u003c4\u003e[   29.158070] Hardware name: Google Quigon sku196612/196613 board (DT)\n\u003c4\u003e[   29.158076] Workqueue: hci0 hci_cmd_sync_work [bluetooth]\n\u003c4\u003e[   29.158154] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n\u003c4\u003e[   29.158162] pc : klist_remove+0x90/0x158\n\u003c4\u003e[   29.158174] lr : klist_remove+0x88/0x158\n\u003c4\u003e[   29.158180] sp : ffffffc0846b3c00\n\u003c4\u003e[   29.158185] pmr_save: 000000e0\n\u003c4\u003e[   29.158188] x29: ffffffc0846b3c30 x28: ffffff80cd31f880 x27: ffffff80c1bdc058\n\u003c4\u003e[   29.158199] x26: dead000000000100 x25: ffffffdbdc624ea3 x24: ffffff80c1bdc4c0\n\u003c4\u003e[   29.158209] x23: ffffffdbdc62a3e6 x22: ffffff80c6c07000 x21: ffffffdbdc829290\n\u003c4\u003e[   29.158219] x20: 0000000000000000 x19: ffffff80cd3e0648 x18: 000000031ec97781\n\u003c4\u003e[   29.158229] x17: ffffff80c1bdc4a8 x16: ffffffdc10576548 x15: ffffff80c1180428\n\u003c4\u003e[   29.158238] x14: 0000000000000000 x13: 000000000000e380 x12: 0000000000000018\n\u003c4\u003e[   29.158248] x11: ffffff80c2a7fd10 x10: 0000000000000000 x9 : 0000000100000000\n\u003c4\u003e[   29.158257] x8 : 0000000000000000 x7 : 7f7f7f7f7f7f7f7f x6 : 2d7223ff6364626d\n\u003c4\u003e[   29.158266] x5 : 0000008000000000 x4 : 0000000000000020 x3 : 2e7325006465636e\n\u003c4\u003e[   29.158275] x2 : ffffffdc11afeff8 x1 : 0000000000000000 x0 : ffffffdc11be4d0c\n\u003c4\u003e[   29.158285] Call trace:\n\u003c4\u003e[   29.158290]  klist_remove+0x90/0x158\n\u003c4\u003e[   29.158298]  device_release_driver_internal+0x20c/0x268\n\u003c4\u003e[   29.158308]  device_release_driver+0x1c/0x30\n\u003c4\u003e[   29.158316]  usb_driver_release_interface+0x70/0x88\n\u003c4\u003e[   29.158325]  btusb_mtk_release_iso_intf+0x68/0xd8 [btusb (HASH:e8b6 5)]\n\u003c4\u003e[   29.158347]  btusb_mtk_reset+0x5c/0x480 [btusb (HASH:e8b6 5)]\n\u003c4\u003e[   29.158361]  hci_cmd_sync_work+0x10c/0x188 [bluetooth (HASH:a4fa 6)]\n\u003c4\u003e[   29.158430]  process_scheduled_works+0x258/0x4e8\n\u003c4\u003e[   29.158441]  worker_thread+0x300/0x428\n\u003c4\u003e[   29.158448]  kthread+0x108/0x1d0\n\u003c4\u003e[   29.158455]  ret_from_fork+0x10/0x20\n\u003c0\u003e[   29.158467] Code: 91343000 940139d1 f9400268 927ff914 (f9401297)\n\u003c4\u003e[   29.158474] ---[ end trace 0000000000000000 ]---\n\u003c0\u003e[   29.167129] Kernel panic - not syncing: Oops: Fatal exception\n\u003c2\u003e[   29.167144] SMP: stopping secondary CPUs\n\u003c4\u003e[   29.167158] ------------[ cut here ]------------"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:23.486Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/421e88a0d85782786b7a1764c75518b4845e07b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/faae9f2ea8806f2499186448adbf94689b47b82b"
        },
        {
          "url": "https://git.kernel.org/stable/c/4015b979767125cf8a2233a145a3b3af78bfd8fb"
        }
      ],
      "title": "Bluetooth: btusb: mediatek: Fix kernel crash when releasing mtk iso interface",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68306",
    "datePublished": "2025-12-16T15:06:23.486Z",
    "dateReserved": "2025-12-16T14:48:05.294Z",
    "dateUpdated": "2025-12-16T15:06:23.486Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-71096 (GCVE-0-2025-71096)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-01-19 12:19

Title

RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation and parsing into one function. Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query. BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline] BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline] ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline] ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline] __do_compat_sys_sendmsg net/compat.c:353 [inline] __se_compat_sys_sendmsg net/compat.c:350 [inline] __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/376f46c8983458ead…
	https://git.kernel.org/stable/c/bfe10318fc23e0b3f…
	https://git.kernel.org/stable/c/45532638de5da24c2…
	https://git.kernel.org/stable/c/9d85524789c2f17c0…
	https://git.kernel.org/stable/c/acadd4097d25d6bd4…
	https://git.kernel.org/stable/c/0b948afc1ded88b35…
	https://git.kernel.org/stable/c/a7b8e876e0ef0232b…

Impacted products

Vendor

Product

Version

Linux

Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 376f46c8983458ead26cac83aa897a0b78491831 (git)
Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < bfe10318fc23e0b3f1d0a18dad387d29473a624d (git)
Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 45532638de5da24c201aa2a9b3dd4b054064de7b (git)
Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 9d85524789c2f17c0e87de8d596bcccc3683a1fc (git)
Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec (git)
Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < 0b948afc1ded88b3562c893114387f34389eeb94 (git)
Affected: ae43f8286730d1f2d241c34601df59f6d2286ac4 , < a7b8e876e0ef0232b8076972c57ce9a7286b47ca (git)

Linux

Affected: 4.7
Unaffected: 0 , < 4.7 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.18.4 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc4 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/addr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "376f46c8983458ead26cac83aa897a0b78491831",
              "status": "affected",
              "version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
              "versionType": "git"
            },
            {
              "lessThan": "bfe10318fc23e0b3f1d0a18dad387d29473a624d",
              "status": "affected",
              "version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
              "versionType": "git"
            },
            {
              "lessThan": "45532638de5da24c201aa2a9b3dd4b054064de7b",
              "status": "affected",
              "version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
              "versionType": "git"
            },
            {
              "lessThan": "9d85524789c2f17c0e87de8d596bcccc3683a1fc",
              "status": "affected",
              "version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
              "versionType": "git"
            },
            {
              "lessThan": "acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec",
              "status": "affected",
              "version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
              "versionType": "git"
            },
            {
              "lessThan": "0b948afc1ded88b3562c893114387f34389eeb94",
              "status": "affected",
              "version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
              "versionType": "git"
            },
            {
              "lessThan": "a7b8e876e0ef0232b8076972c57ce9a7286b47ca",
              "status": "affected",
              "version": "ae43f8286730d1f2d241c34601df59f6d2286ac4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/addr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.7"
            },
            {
              "lessThan": "4.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.4",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc4",
                  "versionStartIncluding": "4.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly\n\nThe netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a\nLS_NLA_TYPE_DGID attribute, it is invalid if it does not.\n\nUse the nl parsing logic properly and call nla_parse_deprecated() to fill\nthe nlattrs array and then directly index that array to get the data for\nthe DGID. Just fail if it is NULL.\n\nRemove the for loop searching for the nla, and squash the validation and\nparsing into one function.\n\nFixes an uninitialized read from the stack triggered by userspace if it\ndoes not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE\nquery.\n\n    BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]\n    BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n     hex_byte_pack include/linux/hex.h:13 [inline]\n     ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490\n     ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509\n     ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633\n     pointer+0xc09/0x1bd0 lib/vsprintf.c:2542\n     vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930\n     vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279\n     vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426\n     vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465\n     vprintk+0x36/0x50 kernel/printk/printk_safe.c:82\n     _printk+0x17e/0x1b0 kernel/printk/printk.c:2475\n     ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]\n     ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141\n     rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]\n     rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n     rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259\n     netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]\n     netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346\n     netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896\n     sock_sendmsg_nosec net/socket.c:714 [inline]\n     __sock_sendmsg+0x333/0x3d0 net/socket.c:729\n     ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617\n     ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671\n     __sys_sendmsg+0x1aa/0x300 net/socket.c:2703\n     __compat_sys_sendmsg net/compat.c:346 [inline]\n     __do_compat_sys_sendmsg net/compat.c:353 [inline]\n     __se_compat_sys_sendmsg net/compat.c:350 [inline]\n     __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350\n     ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371\n     do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]\n     __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306\n     do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331\n     do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:19:56.896Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/376f46c8983458ead26cac83aa897a0b78491831"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfe10318fc23e0b3f1d0a18dad387d29473a624d"
        },
        {
          "url": "https://git.kernel.org/stable/c/45532638de5da24c201aa2a9b3dd4b054064de7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d85524789c2f17c0e87de8d596bcccc3683a1fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/acadd4097d25d6bd472bcb3f9f3eba2b5105d1ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b948afc1ded88b3562c893114387f34389eeb94"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7b8e876e0ef0232b8076972c57ce9a7286b47ca"
        }
      ],
      "title": "RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71096",
    "datePublished": "2026-01-13T15:34:56.118Z",
    "dateReserved": "2026-01-13T15:30:19.650Z",
    "dateUpdated": "2026-01-19T12:19:56.896Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39963 (GCVE-0-2025-39963)

Vulnerability from cvelistv5 – Published: 2025-10-09 12:13 – Updated: 2025-10-09 12:13

Title

io_uring: fix incorrect io_kiocb reference in io_link_skb

Summary

In the Linux kernel, the following vulnerability has been resolved: io_uring: fix incorrect io_kiocb reference in io_link_skb In io_link_skb function, there is a bug where prev_notif is incorrectly assigned using 'nd' instead of 'prev_nd'. This causes the context validation check to compare the current notification with itself instead of comparing it with the previous notification. Fix by using the correct prev_nd parameter when obtaining prev_notif.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a89c34babc2e5834a…
	https://git.kernel.org/stable/c/50a98ce1ea694f1ff…
	https://git.kernel.org/stable/c/2c139a47eff8de24e…

Impacted products

Vendor

Product

Version

Linux

Affected: 6fe4220912d19152a26ce19713ab232f4263018d , < a89c34babc2e5834aa0905278f26f4dbe4b26b76 (git)
Affected: 6fe4220912d19152a26ce19713ab232f4263018d , < 50a98ce1ea694f1ff8e87bc2f8f84096d1736f6a (git)
Affected: 6fe4220912d19152a26ce19713ab232f4263018d , < 2c139a47eff8de24e3350dadb4c9d5e3426db826 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.49 , ≤ 6.12.* (semver)
Unaffected: 6.16.9 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "io_uring/notif.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a89c34babc2e5834aa0905278f26f4dbe4b26b76",
              "status": "affected",
              "version": "6fe4220912d19152a26ce19713ab232f4263018d",
              "versionType": "git"
            },
            {
              "lessThan": "50a98ce1ea694f1ff8e87bc2f8f84096d1736f6a",
              "status": "affected",
              "version": "6fe4220912d19152a26ce19713ab232f4263018d",
              "versionType": "git"
            },
            {
              "lessThan": "2c139a47eff8de24e3350dadb4c9d5e3426db826",
              "status": "affected",
              "version": "6fe4220912d19152a26ce19713ab232f4263018d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "io_uring/notif.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.49",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.49",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.9",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix incorrect io_kiocb reference in io_link_skb\n\nIn io_link_skb function, there is a bug where prev_notif is incorrectly\nassigned using \u0027nd\u0027 instead of \u0027prev_nd\u0027. This causes the context\nvalidation check to compare the current notification with itself instead\nof comparing it with the previous notification.\n\nFix by using the correct prev_nd parameter when obtaining prev_notif."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-09T12:13:23.345Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a89c34babc2e5834aa0905278f26f4dbe4b26b76"
        },
        {
          "url": "https://git.kernel.org/stable/c/50a98ce1ea694f1ff8e87bc2f8f84096d1736f6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c139a47eff8de24e3350dadb4c9d5e3426db826"
        }
      ],
      "title": "io_uring: fix incorrect io_kiocb reference in io_link_skb",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39963",
    "datePublished": "2025-10-09T12:13:23.345Z",
    "dateReserved": "2025-04-16T07:20:57.149Z",
    "dateUpdated": "2025-10-09T12:13:23.345Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40268 (GCVE-0-2025-40268)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-01-02 15:33

Title

cifs: client: fix memory leak in smb3_fs_context_parse_param

Summary

In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/868fc62811d3fabcf…
	https://git.kernel.org/stable/c/48c17341577e25a22…
	https://git.kernel.org/stable/c/4515743cc7a42e1d6…
	https://git.kernel.org/stable/c/e8c73eb7db0a498cd…

Impacted products

Vendor

Product

Version

Linux

Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 868fc62811d3fabcf5685e14f36377a855d5412d (git)
Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 48c17341577e25a22feb13d694374b61d974edbc (git)
Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < 4515743cc7a42e1d67468402a6420c195532a6fa (git)
Affected: af1a3d2ba9543e99d78914d8fb88b61d0531d9a1 , < e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6 (git)

Linux

Affected: 5.11
Unaffected: 0 , < 5.11 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/fs_context.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "868fc62811d3fabcf5685e14f36377a855d5412d",
              "status": "affected",
              "version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
              "versionType": "git"
            },
            {
              "lessThan": "48c17341577e25a22feb13d694374b61d974edbc",
              "status": "affected",
              "version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
              "versionType": "git"
            },
            {
              "lessThan": "4515743cc7a42e1d67468402a6420c195532a6fa",
              "status": "affected",
              "version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
              "versionType": "git"
            },
            {
              "lessThan": "e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6",
              "status": "affected",
              "version": "af1a3d2ba9543e99d78914d8fb88b61d0531d9a1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/fs_context.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: client: fix memory leak in smb3_fs_context_parse_param\n\nThe user calls fsconfig twice, but when the program exits, free() only\nfrees ctx-\u003esource for the second fsconfig, not the first.\nRegarding fc-\u003esource, there is no code in the fs context related to its\nmemory reclamation.\n\nTo fix this memory leak, release the source memory corresponding to ctx\nor fc before each parsing.\n\nsyzbot reported:\nBUG: memory leak\nunreferenced object 0xffff888128afa360 (size 96):\n  backtrace (crc 79c9c7ba):\n    kstrdup+0x3c/0x80 mm/util.c:84\n    smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444\n\nBUG: memory leak\nunreferenced object 0xffff888112c7d900 (size 96):\n  backtrace (crc 79c9c7ba):\n    smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629\n    smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:18.852Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/868fc62811d3fabcf5685e14f36377a855d5412d"
        },
        {
          "url": "https://git.kernel.org/stable/c/48c17341577e25a22feb13d694374b61d974edbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/4515743cc7a42e1d67468402a6420c195532a6fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8c73eb7db0a498cd4b22d2819e6ab1a6f506bd6"
        }
      ],
      "title": "cifs: client: fix memory leak in smb3_fs_context_parse_param",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40268",
    "datePublished": "2025-12-06T21:50:48.917Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2026-01-02T15:33:18.852Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68172 (GCVE-0-2025-68172)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42

Title

crypto: aspeed - fix double free caused by devm

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0dd6474ced3348907…
	https://git.kernel.org/stable/c/29d0504077044a7e1…
	https://git.kernel.org/stable/c/e8407dfd267018f46…
	https://git.kernel.org/stable/c/3c9bf72cc1ced1297…

Impacted products

Vendor

Product

Version

Linux

Affected: 2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < 0dd6474ced33489076e6c0f3fe5077bf12e85b28 (git)
Affected: 2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < 29d0504077044a7e1ffbd09a6118018d5954a6e5 (git)
Affected: 2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < e8407dfd267018f4647ffb061a9bd4a6d7ebacc6 (git)
Affected: 2f1cf4e50c956f882c9fc209c7cded832b67b8a3 , < 3c9bf72cc1ced1297b235f9422d62b613a3fdae9 (git)

Linux

Affected: 6.3
Unaffected: 0 , < 6.3 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/aspeed/aspeed-acry.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0dd6474ced33489076e6c0f3fe5077bf12e85b28",
              "status": "affected",
              "version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
              "versionType": "git"
            },
            {
              "lessThan": "29d0504077044a7e1ffbd09a6118018d5954a6e5",
              "status": "affected",
              "version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
              "versionType": "git"
            },
            {
              "lessThan": "e8407dfd267018f4647ffb061a9bd4a6d7ebacc6",
              "status": "affected",
              "version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
              "versionType": "git"
            },
            {
              "lessThan": "3c9bf72cc1ced1297b235f9422d62b613a3fdae9",
              "status": "affected",
              "version": "2f1cf4e50c956f882c9fc209c7cded832b67b8a3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/aspeed/aspeed-acry.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: aspeed - fix double free caused by devm\n\nThe clock obtained via devm_clk_get_enabled() is automatically managed\nby devres and will be disabled and freed on driver detach. Manually\ncalling clk_disable_unprepare() in error path and remove function\ncauses double free.\n\nRemove the manual clock cleanup in both aspeed_acry_probe()\u0027s error\npath and aspeed_acry_remove()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:42:52.141Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0dd6474ced33489076e6c0f3fe5077bf12e85b28"
        },
        {
          "url": "https://git.kernel.org/stable/c/29d0504077044a7e1ffbd09a6118018d5954a6e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8407dfd267018f4647ffb061a9bd4a6d7ebacc6"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c9bf72cc1ced1297b235f9422d62b613a3fdae9"
        }
      ],
      "title": "crypto: aspeed - fix double free caused by devm",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68172",
    "datePublished": "2025-12-16T13:42:52.141Z",
    "dateReserved": "2025-12-16T13:41:40.251Z",
    "dateUpdated": "2025-12-16T13:42:52.141Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50709 (GCVE-0-2022-50709)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03

Title

wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with pkt_len = 0 but ath9k_hif_usb_rx_stream() uses __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb with uninitialized memory and ath9k_htc_rx_msg() is reading from uninitialized memory. Since bytes accessed by ath9k_htc_rx_msg() is not known until ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in ath9k_hif_usb_rx_stream(). We have two choices. One is to workaround by adding __GFP_ZERO so that ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose the latter. Note that I'm not sure threshold condition is correct, for I can't find details on possible packet length used by this protocol.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f3d2a3b7e290d0bdb…
	https://git.kernel.org/stable/c/84242f15f911f34ae…
	https://git.kernel.org/stable/c/2c485f4f2a64258ac…
	https://git.kernel.org/stable/c/9661724f6206bd606…
	https://git.kernel.org/stable/c/b1b4144508adfc585…
	https://git.kernel.org/stable/c/0d2649b288b7b9484…
	https://git.kernel.org/stable/c/4891a50f5ed8bfcb8…
	https://git.kernel.org/stable/c/b383e8abed41cc6ff…

Impacted products

Vendor

Product

Version

Linux

Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a (git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 84242f15f911f34aec9b22f99d1e9bff19723dbe (git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 2c485f4f2a64258acc5228e78ffb828c68d9e770 (git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 9661724f6206bd606ecf13acada676a9975d230b (git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < b1b4144508adfc585e43856b31baaf9008a3beb4 (git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 0d2649b288b7b9484e3d4380c0d6c4720a17e473 (git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < 4891a50f5ed8bfcb8f2a4b816b0676f398687783 (git)
Affected: fb9987d0f748c983bb795a86f47522313f701a08 , < b383e8abed41cc6ff1a3b34de75df9397fa4878c (git)

Linux

Affected: 2.6.35
Unaffected: 0 , < 2.6.35 (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath9k/htc_hst.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a",
              "status": "affected",
              "version": "fb9987d0f748c983bb795a86f47522313f701a08",
              "versionType": "git"
            },
            {
              "lessThan": "84242f15f911f34aec9b22f99d1e9bff19723dbe",
              "status": "affected",
              "version": "fb9987d0f748c983bb795a86f47522313f701a08",
              "versionType": "git"
            },
            {
              "lessThan": "2c485f4f2a64258acc5228e78ffb828c68d9e770",
              "status": "affected",
              "version": "fb9987d0f748c983bb795a86f47522313f701a08",
              "versionType": "git"
            },
            {
              "lessThan": "9661724f6206bd606ecf13acada676a9975d230b",
              "status": "affected",
              "version": "fb9987d0f748c983bb795a86f47522313f701a08",
              "versionType": "git"
            },
            {
              "lessThan": "b1b4144508adfc585e43856b31baaf9008a3beb4",
              "status": "affected",
              "version": "fb9987d0f748c983bb795a86f47522313f701a08",
              "versionType": "git"
            },
            {
              "lessThan": "0d2649b288b7b9484e3d4380c0d6c4720a17e473",
              "status": "affected",
              "version": "fb9987d0f748c983bb795a86f47522313f701a08",
              "versionType": "git"
            },
            {
              "lessThan": "4891a50f5ed8bfcb8f2a4b816b0676f398687783",
              "status": "affected",
              "version": "fb9987d0f748c983bb795a86f47522313f701a08",
              "versionType": "git"
            },
            {
              "lessThan": "b383e8abed41cc6ff1a3b34de75df9397fa4878c",
              "status": "affected",
              "version": "fb9987d0f748c983bb795a86f47522313f701a08",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath9k/htc_hst.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.35"
            },
            {
              "lessThan": "2.6.35",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()\n\nsyzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for\nioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with\npkt_len = 0 but ath9k_hif_usb_rx_stream() uses\n__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that\npkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb\nwith uninitialized memory and ath9k_htc_rx_msg() is reading from\nuninitialized memory.\n\nSince bytes accessed by ath9k_htc_rx_msg() is not known until\nath9k_htc_rx_msg() is called, it would be difficult to check minimal valid\npkt_len at \"if (pkt_len \u003e 2 * MAX_RX_BUF_SIZE) {\" line in\nath9k_hif_usb_rx_stream().\n\nWe have two choices. One is to workaround by adding __GFP_ZERO so that\nath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let\nath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose\nthe latter.\n\nNote that I\u0027m not sure threshold condition is correct, for I can\u0027t find\ndetails on possible packet length used by this protocol."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:03:58.202Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f3d2a3b7e290d0bdbddfcee5a6c3d922e2b7e02a"
        },
        {
          "url": "https://git.kernel.org/stable/c/84242f15f911f34aec9b22f99d1e9bff19723dbe"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c485f4f2a64258acc5228e78ffb828c68d9e770"
        },
        {
          "url": "https://git.kernel.org/stable/c/9661724f6206bd606ecf13acada676a9975d230b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1b4144508adfc585e43856b31baaf9008a3beb4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d2649b288b7b9484e3d4380c0d6c4720a17e473"
        },
        {
          "url": "https://git.kernel.org/stable/c/4891a50f5ed8bfcb8f2a4b816b0676f398687783"
        },
        {
          "url": "https://git.kernel.org/stable/c/b383e8abed41cc6ff1a3b34de75df9397fa4878c"
        }
      ],
      "title": "wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50709",
    "datePublished": "2025-12-24T10:55:23.194Z",
    "dateReserved": "2025-12-24T10:53:15.518Z",
    "dateUpdated": "2026-01-02T15:03:58.202Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40278 (GCVE-0-2025-40278)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51

Title

net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak

Summary

In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/918e063304f945fb9…
	https://git.kernel.org/stable/c/5e3644ef147bf7140…
	https://git.kernel.org/stable/c/37f0680887c5aeba9…
	https://git.kernel.org/stable/c/2191662058443e0bc…
	https://git.kernel.org/stable/c/a676a296af65d3372…
	https://git.kernel.org/stable/c/d1dbbbe839647486c…
	https://git.kernel.org/stable/c/c8f51dad94cbb8805…
	https://git.kernel.org/stable/c/ce50039be49eea9b4…

Impacted products

Vendor

Product

Version

Linux

Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 918e063304f945fb93be9bb70cacea07d0b730ea (git)
Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 5e3644ef147bf7140259dfa4cace680c9b26fe8b (git)
Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 37f0680887c5aeba9a433fe04b35169010568bb1 (git)
Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < 2191662058443e0bcc28d11694293d8339af6dde (git)
Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < a676a296af65d33725bdf7396803180957dbd92e (git)
Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < d1dbbbe839647486c9b893e5011fe84a052962df (git)
Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e (git)
Affected: ef6980b6becb1afd9d82a4f043749a10ae81bf14 , < ce50039be49eea9b4cd8873ca6eccded1b4a130a (git)

Linux

Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_ife.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "918e063304f945fb93be9bb70cacea07d0b730ea",
              "status": "affected",
              "version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
              "versionType": "git"
            },
            {
              "lessThan": "5e3644ef147bf7140259dfa4cace680c9b26fe8b",
              "status": "affected",
              "version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
              "versionType": "git"
            },
            {
              "lessThan": "37f0680887c5aeba9a433fe04b35169010568bb1",
              "status": "affected",
              "version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
              "versionType": "git"
            },
            {
              "lessThan": "2191662058443e0bcc28d11694293d8339af6dde",
              "status": "affected",
              "version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
              "versionType": "git"
            },
            {
              "lessThan": "a676a296af65d33725bdf7396803180957dbd92e",
              "status": "affected",
              "version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
              "versionType": "git"
            },
            {
              "lessThan": "d1dbbbe839647486c9b893e5011fe84a052962df",
              "status": "affected",
              "version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
              "versionType": "git"
            },
            {
              "lessThan": "c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e",
              "status": "affected",
              "version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
              "versionType": "git"
            },
            {
              "lessThan": "ce50039be49eea9b4cd8873ca6eccded1b4a130a",
              "status": "affected",
              "version": "ef6980b6becb1afd9d82a4f043749a10ae81bf14",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/act_ife.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak\n\nFix a KMSAN kernel-infoleak detected  by the syzbot .\n\n[net?] KMSAN: kernel-infoleak in __skb_datagram_iter\n\nIn tcf_ife_dump(), the variable \u0027opt\u0027 was partially initialized using a\ndesignatied initializer. While the padding bytes are reamined\nuninitialized. nla_put() copies the entire structure into a\nnetlink message, these uninitialized bytes leaked to userspace.\n\nInitialize the structure with memset before assigning its fields\nto ensure all members and padding are cleared prior to beign copied.\n\nThis change silences the KMSAN report and prevents potential information\nleaks from the kernel memory.\n\nThis fix has been tested and validated by syzbot. This patch closes the\nbug reported at the following syzkaller link and ensures no infoleak."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:51:01.693Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/918e063304f945fb93be9bb70cacea07d0b730ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e3644ef147bf7140259dfa4cace680c9b26fe8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/37f0680887c5aeba9a433fe04b35169010568bb1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2191662058443e0bcc28d11694293d8339af6dde"
        },
        {
          "url": "https://git.kernel.org/stable/c/a676a296af65d33725bdf7396803180957dbd92e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1dbbbe839647486c9b893e5011fe84a052962df"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8f51dad94cbb88054e2aacc272b3ce1ed11fb1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce50039be49eea9b4cd8873ca6eccded1b4a130a"
        }
      ],
      "title": "net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40278",
    "datePublished": "2025-12-06T21:51:01.693Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-06T21:51:01.693Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40042 (GCVE-0-2025-40042)

Vulnerability from cvelistv5 – Published: 2025-10-28 11:48 – Updated: 2025-12-01 06:16

Title

tracing: Fix race condition in kprobe initialization causing NULL pointer dereference

Summary

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatcher+0x44/0x60 [1135630.286041] sp : ffffaeff4977fa40 [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 [1135630.302837] x27: 0000000000000000 x26: 0000000000000000 [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 [1135630.349985] x17: 0000000000000000 x16: 0000000000000000 [1135630.359285] x15: 0000000000000000 x14: 0000000000000000 [1135630.368445] x13: 0000000000000000 x12: 0000000000000000 [1135630.377473] x11: 0000000000000000 x10: 0000000000000000 [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 [1135630.429410] Call trace: [1135630.434828] kprobe_perf_func+0x30/0x260 [1135630.441661] kprobe_dispatcher+0x44/0x60 [1135630.448396] aggr_pre_handler+0x70/0xc8 [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 [1135630.462435] brk_handler+0xbc/0xd8 [1135630.468437] do_debug_exception+0x84/0x138 [1135630.475074] el1_dbg+0x18/0x8c [1135630.480582] security_file_permission+0x0/0xd0 [1135630.487426] vfs_write+0x70/0x1c0 [1135630.493059] ksys_write+0x5c/0xc8 [1135630.498638] __arm64_sys_write+0x24/0x30 [1135630.504821] el0_svc_common+0x78/0x130 [1135630.510838] el0_svc_handler+0x38/0x78 [1135630.516834] el0_svc+0x8/0x1b0 kernel/trace/trace_kprobe.c: 1308 0xffff3df8995039ec <kprobe_perf_func+0x2c>: ldr x21, [x24,#120] include/linux/compiler.h: 294 0xffff3df8995039f0 <kprobe_perf_func+0x30>: ldr x1, [x21,x0] kernel/trace/trace_kprobe.c 1308: head = this_cpu_ptr(call->perf_events); 1309: if (hlist_empty(head)) 1310: return 0; crash> struct trace_event_call -o struct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ... } crash> struct trace_event_call ffffaf015340e528 struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ... } Race Condition Analysis: The race occurs between kprobe activation and perf_events initialization: CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)← KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL) Problem: 1. CPU0 executes (1) assigning tp_event->perf_events = list 2. CPU0 executes (2) enabling kprobe functionality via class->reg() 3. CPU1 triggers and reaches kprobe_dispatcher 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) 5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULL CPU1 sees that kprobe functionality is enabled but does not see that perf_events has been assigned. Add pairing read an ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/07926ce598a95de6f…
	https://git.kernel.org/stable/c/9c4951b691bb8d7a0…
	https://git.kernel.org/stable/c/95dd33361061f808d…
	https://git.kernel.org/stable/c/a6e89ada1ff6b70df…
	https://git.kernel.org/stable/c/1a301228c0a8aedc3…
	https://git.kernel.org/stable/c/0fa388ab2c290ef11…
	https://git.kernel.org/stable/c/5ebea6561649d30ec…
	https://git.kernel.org/stable/c/9cf9aa7b0acfde754…

Impacted products

Vendor

Product

Version

Linux

Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 07926ce598a95de6fd874a74fb510e2ebdfd0aae (git)
Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 9c4951b691bb8d7a004acd010f45144391f85ea6 (git)
Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 95dd33361061f808d1f68616d69ada639e737cfa (git)
Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < a6e89ada1ff6b70df73f579071ffa6ade8ae7f98 (git)
Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 1a301228c0a8aedc3154fb1a274456f487416b96 (git)
Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 0fa388ab2c290ef1115ff88ae88e881d0fb2db02 (git)
Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 5ebea6561649d30ec7a18fea23d7f76738dae916 (git)
Affected: 50d780560785b068c358675c5f0bf6c83b5c373e , < 9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f (git)

Linux

Affected: 2.6.33
Unaffected: 0 , < 2.6.33 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.157 , ≤ 6.1.* (semver)
Unaffected: 6.6.113 , ≤ 6.6.* (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.3 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_fprobe.c",
            "kernel/trace/trace_kprobe.c",
            "kernel/trace/trace_probe.h",
            "kernel/trace/trace_uprobe.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "07926ce598a95de6fd874a74fb510e2ebdfd0aae",
              "status": "affected",
              "version": "50d780560785b068c358675c5f0bf6c83b5c373e",
              "versionType": "git"
            },
            {
              "lessThan": "9c4951b691bb8d7a004acd010f45144391f85ea6",
              "status": "affected",
              "version": "50d780560785b068c358675c5f0bf6c83b5c373e",
              "versionType": "git"
            },
            {
              "lessThan": "95dd33361061f808d1f68616d69ada639e737cfa",
              "status": "affected",
              "version": "50d780560785b068c358675c5f0bf6c83b5c373e",
              "versionType": "git"
            },
            {
              "lessThan": "a6e89ada1ff6b70df73f579071ffa6ade8ae7f98",
              "status": "affected",
              "version": "50d780560785b068c358675c5f0bf6c83b5c373e",
              "versionType": "git"
            },
            {
              "lessThan": "1a301228c0a8aedc3154fb1a274456f487416b96",
              "status": "affected",
              "version": "50d780560785b068c358675c5f0bf6c83b5c373e",
              "versionType": "git"
            },
            {
              "lessThan": "0fa388ab2c290ef1115ff88ae88e881d0fb2db02",
              "status": "affected",
              "version": "50d780560785b068c358675c5f0bf6c83b5c373e",
              "versionType": "git"
            },
            {
              "lessThan": "5ebea6561649d30ec7a18fea23d7f76738dae916",
              "status": "affected",
              "version": "50d780560785b068c358675c5f0bf6c83b5c373e",
              "versionType": "git"
            },
            {
              "lessThan": "9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f",
              "status": "affected",
              "version": "50d780560785b068c358675c5f0bf6c83b5c373e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/trace_fprobe.c",
            "kernel/trace/trace_kprobe.c",
            "kernel/trace/trace_probe.h",
            "kernel/trace/trace_uprobe.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.33"
            },
            {
              "lessThan": "2.6.33",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.3",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.33",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix race condition in kprobe initialization causing NULL pointer dereference\n\nThere is a critical race condition in kprobe initialization that can lead to\nNULL pointer dereference and kernel crash.\n\n[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000\n...\n[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO)\n[1135630.269239] pc : kprobe_perf_func+0x30/0x260\n[1135630.277643] lr : kprobe_dispatcher+0x44/0x60\n[1135630.286041] sp : ffffaeff4977fa40\n[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400\n[1135630.302837] x27: 0000000000000000 x26: 0000000000000000\n[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528\n[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50\n[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50\n[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000\n[1135630.349985] x17: 0000000000000000 x16: 0000000000000000\n[1135630.359285] x15: 0000000000000000 x14: 0000000000000000\n[1135630.368445] x13: 0000000000000000 x12: 0000000000000000\n[1135630.377473] x11: 0000000000000000 x10: 0000000000000000\n[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000\n[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000\n[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000\n[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006\n[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000\n[1135630.429410] Call trace:\n[1135630.434828]  kprobe_perf_func+0x30/0x260\n[1135630.441661]  kprobe_dispatcher+0x44/0x60\n[1135630.448396]  aggr_pre_handler+0x70/0xc8\n[1135630.454959]  kprobe_breakpoint_handler+0x140/0x1e0\n[1135630.462435]  brk_handler+0xbc/0xd8\n[1135630.468437]  do_debug_exception+0x84/0x138\n[1135630.475074]  el1_dbg+0x18/0x8c\n[1135630.480582]  security_file_permission+0x0/0xd0\n[1135630.487426]  vfs_write+0x70/0x1c0\n[1135630.493059]  ksys_write+0x5c/0xc8\n[1135630.498638]  __arm64_sys_write+0x24/0x30\n[1135630.504821]  el0_svc_common+0x78/0x130\n[1135630.510838]  el0_svc_handler+0x38/0x78\n[1135630.516834]  el0_svc+0x8/0x1b0\n\nkernel/trace/trace_kprobe.c: 1308\n0xffff3df8995039ec \u003ckprobe_perf_func+0x2c\u003e:     ldr     x21, [x24,#120]\ninclude/linux/compiler.h: 294\n0xffff3df8995039f0 \u003ckprobe_perf_func+0x30\u003e:     ldr     x1, [x21,x0]\n\nkernel/trace/trace_kprobe.c\n1308: head = this_cpu_ptr(call-\u003eperf_events);\n1309: if (hlist_empty(head))\n1310: \treturn 0;\n\ncrash\u003e struct trace_event_call -o\nstruct trace_event_call {\n  ...\n  [120] struct hlist_head *perf_events;  //(call-\u003eperf_event)\n  ...\n}\n\ncrash\u003e struct trace_event_call ffffaf015340e528\nstruct trace_event_call {\n  ...\n  perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0\n  ...\n}\n\nRace Condition Analysis:\n\nThe race occurs between kprobe activation and perf_events initialization:\n\n  CPU0                                    CPU1\n  ====                                    ====\n  perf_kprobe_init\n    perf_trace_event_init\n      tp_event-\u003eperf_events = list;(1)\n      tp_event-\u003eclass-\u003ereg (2)\u2190 KPROBE ACTIVE\n                                          Debug exception triggers\n                                          ...\n                                          kprobe_dispatcher\n                                            kprobe_perf_func (tk-\u003etp.flags \u0026 TP_FLAG_PROFILE)\n                                              head = this_cpu_ptr(call-\u003eperf_events)(3)\n                                              (perf_events is still NULL)\n\nProblem:\n1. CPU0 executes (1) assigning tp_event-\u003eperf_events = list\n2. CPU0 executes (2) enabling kprobe functionality via class-\u003ereg()\n3. CPU1 triggers and reaches kprobe_dispatcher\n4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed)\n5. CPU1 calls kprobe_perf_func() and crashes at (3) because\n   call-\u003eperf_events is still NULL\n\nCPU1 sees that kprobe functionality is enabled but does not see that\nperf_events has been assigned.\n\nAdd pairing read an\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:16:46.821Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/07926ce598a95de6fd874a74fb510e2ebdfd0aae"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c4951b691bb8d7a004acd010f45144391f85ea6"
        },
        {
          "url": "https://git.kernel.org/stable/c/95dd33361061f808d1f68616d69ada639e737cfa"
        },
        {
          "url": "https://git.kernel.org/stable/c/a6e89ada1ff6b70df73f579071ffa6ade8ae7f98"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a301228c0a8aedc3154fb1a274456f487416b96"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fa388ab2c290ef1115ff88ae88e881d0fb2db02"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ebea6561649d30ec7a18fea23d7f76738dae916"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f"
        }
      ],
      "title": "tracing: Fix race condition in kprobe initialization causing NULL pointer dereference",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40042",
    "datePublished": "2025-10-28T11:48:21.638Z",
    "dateReserved": "2025-04-16T07:20:57.154Z",
    "dateUpdated": "2025-12-01T06:16:46.821Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50736 (GCVE-0-2022-50736)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22

Title

RDMA/siw: Fix immediate work request flush to completion queue

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix immediate work request flush to completion queue Correctly set send queue element opcode during immediate work request flushing in post sendqueue operation, if the QP is in ERROR state. An undefined ocode value results in out-of-bounds access to an array for mapping the opcode between siw internal and RDMA core representation in work completion generation. It resulted in a KASAN BUG report of type 'global-out-of-bounds' during NFSoRDMA testing. This patch further fixes a potential case of a malicious user which may write undefined values for completion queue elements status or opcode, if the CQ is memory mapped to user land. It avoids the same out-of-bounds access to arrays for status and opcode mapping as described above.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6af043089d3f12107…
	https://git.kernel.org/stable/c/75af03fdf35acf15a…
	https://git.kernel.org/stable/c/f8d8fbd3b6d6cc3f2…
	https://git.kernel.org/stable/c/355d2eca68c10d713…
	https://git.kernel.org/stable/c/f3d26a8589dfdeff3…
	https://git.kernel.org/stable/c/bdf1da5df9da68058…

Impacted products

Vendor

Product

Version

Linux

Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 6af043089d3f1210776d19b6fdabea610d4c7699 (git)
Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 75af03fdf35acf15a3977f7115f6b8d10dff4bc7 (git)
Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < f8d8fbd3b6d6cc3f25790cca5cffe8ded512fef6 (git)
Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < 355d2eca68c10d713a42f68e62044b3d1c300471 (git)
Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < f3d26a8589dfdeff328779b511f71fb90b10005e (git)
Affected: 303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b , < bdf1da5df9da680589a7f74448dd0a94dd3e1446 (git)

Linux

Affected: 5.3
Unaffected: 0 , < 5.3 (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.86 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/siw/siw_cq.c",
            "drivers/infiniband/sw/siw/siw_verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6af043089d3f1210776d19b6fdabea610d4c7699",
              "status": "affected",
              "version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
              "versionType": "git"
            },
            {
              "lessThan": "75af03fdf35acf15a3977f7115f6b8d10dff4bc7",
              "status": "affected",
              "version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
              "versionType": "git"
            },
            {
              "lessThan": "f8d8fbd3b6d6cc3f25790cca5cffe8ded512fef6",
              "status": "affected",
              "version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
              "versionType": "git"
            },
            {
              "lessThan": "355d2eca68c10d713a42f68e62044b3d1c300471",
              "status": "affected",
              "version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
              "versionType": "git"
            },
            {
              "lessThan": "f3d26a8589dfdeff328779b511f71fb90b10005e",
              "status": "affected",
              "version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
              "versionType": "git"
            },
            {
              "lessThan": "bdf1da5df9da680589a7f74448dd0a94dd3e1446",
              "status": "affected",
              "version": "303ae1cdfdf7280ff4cfbbe65563b5ff15bb025b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/siw/siw_cq.c",
            "drivers/infiniband/sw/siw/siw_verbs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.3"
            },
            {
              "lessThan": "5.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.86",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/siw: Fix immediate work request flush to completion queue\n\nCorrectly set send queue element opcode during immediate work request\nflushing in post sendqueue operation, if the QP is in ERROR state.\nAn undefined ocode value results in out-of-bounds access to an array\nfor mapping the opcode between siw internal and RDMA core representation\nin work completion generation. It resulted in a KASAN BUG report\nof type \u0027global-out-of-bounds\u0027 during NFSoRDMA testing.\n\nThis patch further fixes a potential case of a malicious user which may\nwrite undefined values for completion queue elements status or opcode,\nif the CQ is memory mapped to user land. It avoids the same out-of-bounds\naccess to arrays for status and opcode mapping as described above."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:22:54.695Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6af043089d3f1210776d19b6fdabea610d4c7699"
        },
        {
          "url": "https://git.kernel.org/stable/c/75af03fdf35acf15a3977f7115f6b8d10dff4bc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8d8fbd3b6d6cc3f25790cca5cffe8ded512fef6"
        },
        {
          "url": "https://git.kernel.org/stable/c/355d2eca68c10d713a42f68e62044b3d1c300471"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3d26a8589dfdeff328779b511f71fb90b10005e"
        },
        {
          "url": "https://git.kernel.org/stable/c/bdf1da5df9da680589a7f74448dd0a94dd3e1446"
        }
      ],
      "title": "RDMA/siw: Fix immediate work request flush to completion queue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50736",
    "datePublished": "2025-12-24T12:22:54.695Z",
    "dateReserved": "2025-12-24T12:20:40.331Z",
    "dateUpdated": "2025-12-24T12:22:54.695Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68342 (GCVE-0-2025-68342)

Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2025-12-23 13:58

Title

can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data

Summary

In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data The URB received in gs_usb_receive_bulk_callback() contains a struct gs_host_frame. The length of the data after the header depends on the gs_host_frame hf::flags and the active device features (e.g. time stamping). Introduce a new function gs_usb_get_minimum_length() and check that we have at least received the required amount of data before accessing it. Only copy the data to that skb that has actually been received. [mkl: rename gs_usb_get_minimum_length() -> +gs_usb_get_minimum_rx_length()]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4ffac725154cf6a25…
	https://git.kernel.org/stable/c/ad55004a3cb5b41ef…
	https://git.kernel.org/stable/c/fb0c7c77a7ae3a2c3…
	https://git.kernel.org/stable/c/395d988f93861101e…

Impacted products

Vendor

Product

Version

Linux

Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 4ffac725154cf6a253f5e6aa0c8946232b6a0af5 (git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b (git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < fb0c7c77a7ae3a2c3404b7d0173b8739a754b513 (git)
Affected: d08e973a77d128b25e01a08c34d89593fdf222da , < 395d988f93861101ec89d0dd9e3b876ae9392a5b (git)

Linux

Affected: 3.16
Unaffected: 0 , < 3.16 (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/gs_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4ffac725154cf6a253f5e6aa0c8946232b6a0af5",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            },
            {
              "lessThan": "ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            },
            {
              "lessThan": "fb0c7c77a7ae3a2c3404b7d0173b8739a754b513",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            },
            {
              "lessThan": "395d988f93861101ec89d0dd9e3b876ae9392a5b",
              "status": "affected",
              "version": "d08e973a77d128b25e01a08c34d89593fdf222da",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/can/usb/gs_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data\n\nThe URB received in gs_usb_receive_bulk_callback() contains a struct\ngs_host_frame. The length of the data after the header depends on the\ngs_host_frame hf::flags and the active device features (e.g. time\nstamping).\n\nIntroduce a new function gs_usb_get_minimum_length() and check that we have\nat least received the required amount of data before accessing it. Only\ncopy the data to that skb that has actually been received.\n\n[mkl: rename gs_usb_get_minimum_length() -\u003e +gs_usb_get_minimum_rx_length()]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:58:27.579Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4ffac725154cf6a253f5e6aa0c8946232b6a0af5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad55004a3cb5b41ef78aa6c09e7bc5a489ba652b"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb0c7c77a7ae3a2c3404b7d0173b8739a754b513"
        },
        {
          "url": "https://git.kernel.org/stable/c/395d988f93861101ec89d0dd9e3b876ae9392a5b"
        }
      ],
      "title": "can: gs_usb: gs_usb_receive_bulk_callback(): check actual_length before accessing data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68342",
    "datePublished": "2025-12-23T13:58:27.579Z",
    "dateReserved": "2025-12-16T14:48:05.298Z",
    "dateUpdated": "2025-12-23T13:58:27.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-54270 (GCVE-0-2023-54270)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:16 – Updated: 2025-12-30 12:16

Title

media: usb: siano: Fix use after free bugs caused by do_submit_urb

Summary

In the Linux kernel, the following vulnerability has been resolved: media: usb: siano: Fix use after free bugs caused by do_submit_urb There are UAF bugs caused by do_submit_urb(). One of the KASan reports is shown below: [ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] <TASK> [ 36.419320] dump_stack_lvl+0x96/0xd0 [ 36.420522] print_address_description+0x75/0x350 [ 36.421992] print_report+0x11b/0x250 [ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 [ 36.424806] ? __virt_addr_valid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasan_report+0x131/0x160 [ 36.428556] ? worker_thread+0x4a2/0x890 [ 36.430053] worker_thread+0x4a2/0x890 [ 36.431297] ? worker_clr_flags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthread_blkcg+0x50/0x50 [ 36.434669] ret_from_fork+0x22/0x30 [ 36.435923] </TASK> [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasan_set_track+0x50/0x80 [ 36.439436] __kasan_kmalloc+0x89/0xa0 [ 36.440566] smsusb_probe+0x374/0xc90 [ 36.441920] usb_probe_interface+0x2d1/0x4c0 [ 36.443253] really_probe+0x1d5/0x580 [ 36.444539] __driver_probe_device+0xe3/0x130 [ 36.446085] driver_probe_device+0x49/0x220 [ 36.447423] __device_attach_driver+0x19e/0x1b0 [ 36.448931] bus_for_each_drv+0xcb/0x110 [ 36.450217] __device_attach+0x132/0x1f0 [ 36.451470] bus_probe_device+0x59/0xf0 [ 36.452563] device_add+0x4ec/0x7b0 [ 36.453830] usb_set_configuration+0xc63/0xe10 [ 36.455230] usb_generic_driver_probe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usb_probe_device+0x90/0x110 [ 36.459523] really_probe+0x1d5/0x580 [ 36.461027] __driver_probe_device+0xe3/0x130 [ 36.462465] driver_probe_device+0x49/0x220 [ 36.463847] __device_attach_driver+0x19e/0x1b0 [ 36.465229] bus_for_each_drv+0xcb/0x110 [ 36.466466] __device_attach+0x132/0x1f0 [ 36.467799] bus_probe_device+0x59/0xf0 [ 36.469010] device_add+0x4ec/0x7b0 [ 36.470125] usb_new_device+0x863/0xa00 [ 36.471374] hub_event+0x18c7/0x2220 [ 36.472746] process_one_work+0x34c/0x5b0 [ 36.474041] worker_thread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] ret_from_fork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasan_set_track+0x50/0x80 [ 36.480512] kasan_save_free_info+0x2b/0x40 [ 36.481808] ____kasan_slab_free+0x122/0x1a0 [ 36.483173] __kmem_cache_free+0xc4/0x200 [ 36.484563] smsusb_term_device+0xcd/0xf0 [ 36.485896] smsusb_probe+0xc85/0xc90 [ 36.486976] usb_probe_interface+0x2d1/0x4c0 [ 36.488303] really_probe+0x1d5/0x580 [ 36.489498] __driver_probe_device+0xe3/0x130 [ 36.491140] driver_probe_device+0x49/0x220 [ 36.492475] __device_attach_driver+0x19e/0x1b0 [ 36.493988] bus_for_each_drv+0xcb/0x110 [ 36.495171] __device_attach+0x132/0x1f0 [ 36.496617] bus_probe_device+0x59/0xf0 [ 36.497875] device_add+0x4ec/0x7b0 [ 36.498972] usb_set_configuration+0xc63/0xe10 [ 36.500264] usb_generic_driver_probe+0x3b/0x80 [ 36.501740] usb_probe_device+0x90/0x110 [ 36.503084] really_probe+0x1d5/0x580 [ 36.504241] __driver_probe_device+0xe3/0x130 [ 36.505548] driver_probe_device+0x49/0x220 [ 36.506766] __device_attach_driver+0x19e/0x1b0 [ 36.508368] bus_for_each_drv+0xcb/0x110 [ 36.509646] __device_attach+0x132/0x1f0 [ 36.510911] bus_probe_device+0x59/0xf0 [ 36.512103] device_add+0x4ec/0x7b0 [ 36.513215] usb_new_device+0x863/0xa00 [ 36.514736] hub_event+0x18c7/0x2220 [ 36.516130] process_one_work+ ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c379272ea9c2ee36f…
	https://git.kernel.org/stable/c/1477b00ff582970df…
	https://git.kernel.org/stable/c/a41bb59eff7a58a67…
	https://git.kernel.org/stable/c/42f8ba8355682f6c4…
	https://git.kernel.org/stable/c/114f768e7314ca9e1…
	https://git.kernel.org/stable/c/479796534a450fd44…
	https://git.kernel.org/stable/c/19aadf0eb70edae71…
	https://git.kernel.org/stable/c/ebad8e731c1c06adf…

Impacted products

Vendor

Product

Version

Linux

Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < c379272ea9c2ee36f0a1327b0fb8889c975093f7 (git)
Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < 1477b00ff582970df110fc9e15a5e2021acb9222 (git)
Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < a41bb59eff7a58a6772f84a5b70ad7ec26dad074 (git)
Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < 42f8ba8355682f6c4125b75503cac0cef4ac91d3 (git)
Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < 114f768e7314ca9e1fdbebe11267c4403e89e7f2 (git)
Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < 479796534a450fd44189080d51bebefa3b42c6fc (git)
Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < 19aadf0eb70edae7180285dbb9bfa237d1ddb34d (git)
Affected: dd47fbd40e6ea6884e295e13a2e50b0894258fdf , < ebad8e731c1c06adf04621d6fd327b860c0861b5 (git)

Linux

Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 4.14.308 , ≤ 4.14.* (semver)
Unaffected: 4.19.276 , ≤ 4.19.* (semver)
Unaffected: 5.4.235 , ≤ 5.4.* (semver)
Unaffected: 5.10.173 , ≤ 5.10.* (semver)
Unaffected: 5.15.99 , ≤ 5.15.* (semver)
Unaffected: 6.1.16 , ≤ 6.1.* (semver)
Unaffected: 6.2.3 , ≤ 6.2.* (semver)
Unaffected: 6.3 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/siano/smsusb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c379272ea9c2ee36f0a1327b0fb8889c975093f7",
              "status": "affected",
              "version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
              "versionType": "git"
            },
            {
              "lessThan": "1477b00ff582970df110fc9e15a5e2021acb9222",
              "status": "affected",
              "version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
              "versionType": "git"
            },
            {
              "lessThan": "a41bb59eff7a58a6772f84a5b70ad7ec26dad074",
              "status": "affected",
              "version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
              "versionType": "git"
            },
            {
              "lessThan": "42f8ba8355682f6c4125b75503cac0cef4ac91d3",
              "status": "affected",
              "version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
              "versionType": "git"
            },
            {
              "lessThan": "114f768e7314ca9e1fdbebe11267c4403e89e7f2",
              "status": "affected",
              "version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
              "versionType": "git"
            },
            {
              "lessThan": "479796534a450fd44189080d51bebefa3b42c6fc",
              "status": "affected",
              "version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
              "versionType": "git"
            },
            {
              "lessThan": "19aadf0eb70edae7180285dbb9bfa237d1ddb34d",
              "status": "affected",
              "version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
              "versionType": "git"
            },
            {
              "lessThan": "ebad8e731c1c06adf04621d6fd327b860c0861b5",
              "status": "affected",
              "version": "dd47fbd40e6ea6884e295e13a2e50b0894258fdf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/siano/smsusb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.308",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.276",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.173",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.99",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.308",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.276",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.235",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.173",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.99",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.16",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.3",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usb: siano: Fix use after free bugs caused by do_submit_urb\n\nThere are UAF bugs caused by do_submit_urb(). One of the KASan reports\nis shown below:\n\n[   36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890\n[   36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49\n[   36.408316]\n[   36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8\n[   36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584\n[   36.416157] Workqueue:  0x0 (events)\n[   36.417654] Call Trace:\n[   36.418546]  \u003cTASK\u003e\n[   36.419320]  dump_stack_lvl+0x96/0xd0\n[   36.420522]  print_address_description+0x75/0x350\n[   36.421992]  print_report+0x11b/0x250\n[   36.423174]  ? _raw_spin_lock_irqsave+0x87/0xd0\n[   36.424806]  ? __virt_addr_valid+0xcf/0x170\n[   36.426069]  ? worker_thread+0x4a2/0x890\n[   36.427355]  kasan_report+0x131/0x160\n[   36.428556]  ? worker_thread+0x4a2/0x890\n[   36.430053]  worker_thread+0x4a2/0x890\n[   36.431297]  ? worker_clr_flags+0x90/0x90\n[   36.432479]  kthread+0x166/0x190\n[   36.433493]  ? kthread_blkcg+0x50/0x50\n[   36.434669]  ret_from_fork+0x22/0x30\n[   36.435923]  \u003c/TASK\u003e\n[   36.436684]\n[   36.437215] Allocated by task 24:\n[   36.438289]  kasan_set_track+0x50/0x80\n[   36.439436]  __kasan_kmalloc+0x89/0xa0\n[   36.440566]  smsusb_probe+0x374/0xc90\n[   36.441920]  usb_probe_interface+0x2d1/0x4c0\n[   36.443253]  really_probe+0x1d5/0x580\n[   36.444539]  __driver_probe_device+0xe3/0x130\n[   36.446085]  driver_probe_device+0x49/0x220\n[   36.447423]  __device_attach_driver+0x19e/0x1b0\n[   36.448931]  bus_for_each_drv+0xcb/0x110\n[   36.450217]  __device_attach+0x132/0x1f0\n[   36.451470]  bus_probe_device+0x59/0xf0\n[   36.452563]  device_add+0x4ec/0x7b0\n[   36.453830]  usb_set_configuration+0xc63/0xe10\n[   36.455230]  usb_generic_driver_probe+0x3b/0x80\n[   36.456166] printk: console [ttyGS0] disabled\n[   36.456569]  usb_probe_device+0x90/0x110\n[   36.459523]  really_probe+0x1d5/0x580\n[   36.461027]  __driver_probe_device+0xe3/0x130\n[   36.462465]  driver_probe_device+0x49/0x220\n[   36.463847]  __device_attach_driver+0x19e/0x1b0\n[   36.465229]  bus_for_each_drv+0xcb/0x110\n[   36.466466]  __device_attach+0x132/0x1f0\n[   36.467799]  bus_probe_device+0x59/0xf0\n[   36.469010]  device_add+0x4ec/0x7b0\n[   36.470125]  usb_new_device+0x863/0xa00\n[   36.471374]  hub_event+0x18c7/0x2220\n[   36.472746]  process_one_work+0x34c/0x5b0\n[   36.474041]  worker_thread+0x4b7/0x890\n[   36.475216]  kthread+0x166/0x190\n[   36.476267]  ret_from_fork+0x22/0x30\n[   36.477447]\n[   36.478160] Freed by task 24:\n[   36.479239]  kasan_set_track+0x50/0x80\n[   36.480512]  kasan_save_free_info+0x2b/0x40\n[   36.481808]  ____kasan_slab_free+0x122/0x1a0\n[   36.483173]  __kmem_cache_free+0xc4/0x200\n[   36.484563]  smsusb_term_device+0xcd/0xf0\n[   36.485896]  smsusb_probe+0xc85/0xc90\n[   36.486976]  usb_probe_interface+0x2d1/0x4c0\n[   36.488303]  really_probe+0x1d5/0x580\n[   36.489498]  __driver_probe_device+0xe3/0x130\n[   36.491140]  driver_probe_device+0x49/0x220\n[   36.492475]  __device_attach_driver+0x19e/0x1b0\n[   36.493988]  bus_for_each_drv+0xcb/0x110\n[   36.495171]  __device_attach+0x132/0x1f0\n[   36.496617]  bus_probe_device+0x59/0xf0\n[   36.497875]  device_add+0x4ec/0x7b0\n[   36.498972]  usb_set_configuration+0xc63/0xe10\n[   36.500264]  usb_generic_driver_probe+0x3b/0x80\n[   36.501740]  usb_probe_device+0x90/0x110\n[   36.503084]  really_probe+0x1d5/0x580\n[   36.504241]  __driver_probe_device+0xe3/0x130\n[   36.505548]  driver_probe_device+0x49/0x220\n[   36.506766]  __device_attach_driver+0x19e/0x1b0\n[   36.508368]  bus_for_each_drv+0xcb/0x110\n[   36.509646]  __device_attach+0x132/0x1f0\n[   36.510911]  bus_probe_device+0x59/0xf0\n[   36.512103]  device_add+0x4ec/0x7b0\n[   36.513215]  usb_new_device+0x863/0xa00\n[   36.514736]  hub_event+0x18c7/0x2220\n[   36.516130]  process_one_work+\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:16:00.990Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c379272ea9c2ee36f0a1327b0fb8889c975093f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/1477b00ff582970df110fc9e15a5e2021acb9222"
        },
        {
          "url": "https://git.kernel.org/stable/c/a41bb59eff7a58a6772f84a5b70ad7ec26dad074"
        },
        {
          "url": "https://git.kernel.org/stable/c/42f8ba8355682f6c4125b75503cac0cef4ac91d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/114f768e7314ca9e1fdbebe11267c4403e89e7f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/479796534a450fd44189080d51bebefa3b42c6fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/19aadf0eb70edae7180285dbb9bfa237d1ddb34d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebad8e731c1c06adf04621d6fd327b860c0861b5"
        }
      ],
      "title": "media: usb: siano: Fix use after free bugs caused by do_submit_urb",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54270",
    "datePublished": "2025-12-30T12:16:00.990Z",
    "dateReserved": "2025-12-30T12:06:44.519Z",
    "dateUpdated": "2025-12-30T12:16:00.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40308 (GCVE-0-2025-40308)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2026-01-02 15:33

Title

Bluetooth: bcsp: receive data only if registered

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/39a7d40314b6288cf…
	https://git.kernel.org/stable/c/164586725b47f9d61…
	https://git.kernel.org/stable/c/b65ca9708bfbf47d8…
	https://git.kernel.org/stable/c/8b892dbef3887dbe9…
	https://git.kernel.org/stable/c/799cd62cbcc3f12ee…
	https://git.kernel.org/stable/c/b420a4c7f915fc1c9…
	https://git.kernel.org/stable/c/55c1519fca830f59a…
	https://git.kernel.org/stable/c/ca94b2b036c22556c…

Impacted products

Vendor

Product

Version

Linux

Affected: 48effdb7a798232db945503cf3f51e0be8070cea , < 39a7d40314b6288cfa2d13269275e9247a7a055a (git)
Affected: 45fa7bd82c6178f4fec0ab94891144a043ec5fe8 , < 164586725b47f9d61912e6bf17dbaffeff11710b (git)
Affected: d71a57a34ab6bbc95dc461158403c02e8ff3f912 , < b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9 (git)
Affected: 9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf , < 8b892dbef3887dbe9afdc7176d1a5fd90e1636aa (git)
Affected: 806464634e7fc6b523160defeeddb1ade2a72f81 , < 799cd62cbcc3f12ee04b33ef390ff7d41c37d671 (git)
Affected: 6b7a32fa9bacdebd98c18b2a56994116995ee643 , < b420a4c7f915fc1c94ad1f6ca740acc046d94334 (git)
Affected: 366ceff495f902182d42b6f41525c2474caf3f9a , < 55c1519fca830f59a10bbf9aa8209c87b06cf7bc (git)
Affected: 366ceff495f902182d42b6f41525c2474caf3f9a , < ca94b2b036c22556c3a66f1b80f490882deef7a6 (git)
Affected: 15543b7bbe7b5f744fdbb44f75b14f81a0117813 (git)
Affected: a4b89a45b12b69bc82c8137346b150a118e02c26 (git)

Linux

Affected: 6.15
Unaffected: 0 , < 6.15 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/hci_bcsp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "39a7d40314b6288cfa2d13269275e9247a7a055a",
              "status": "affected",
              "version": "48effdb7a798232db945503cf3f51e0be8070cea",
              "versionType": "git"
            },
            {
              "lessThan": "164586725b47f9d61912e6bf17dbaffeff11710b",
              "status": "affected",
              "version": "45fa7bd82c6178f4fec0ab94891144a043ec5fe8",
              "versionType": "git"
            },
            {
              "lessThan": "b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9",
              "status": "affected",
              "version": "d71a57a34ab6bbc95dc461158403c02e8ff3f912",
              "versionType": "git"
            },
            {
              "lessThan": "8b892dbef3887dbe9afdc7176d1a5fd90e1636aa",
              "status": "affected",
              "version": "9cf7dccaa7f4c56d2089700e5cb11f85a8d5f6cf",
              "versionType": "git"
            },
            {
              "lessThan": "799cd62cbcc3f12ee04b33ef390ff7d41c37d671",
              "status": "affected",
              "version": "806464634e7fc6b523160defeeddb1ade2a72f81",
              "versionType": "git"
            },
            {
              "lessThan": "b420a4c7f915fc1c94ad1f6ca740acc046d94334",
              "status": "affected",
              "version": "6b7a32fa9bacdebd98c18b2a56994116995ee643",
              "versionType": "git"
            },
            {
              "lessThan": "55c1519fca830f59a10bbf9aa8209c87b06cf7bc",
              "status": "affected",
              "version": "366ceff495f902182d42b6f41525c2474caf3f9a",
              "versionType": "git"
            },
            {
              "lessThan": "ca94b2b036c22556c3a66f1b80f490882deef7a6",
              "status": "affected",
              "version": "366ceff495f902182d42b6f41525c2474caf3f9a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "15543b7bbe7b5f744fdbb44f75b14f81a0117813",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a4b89a45b12b69bc82c8137346b150a118e02c26",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bluetooth/hci_bcsp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.15"
            },
            {
              "lessThan": "6.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "5.4.293",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.10.237",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.15.181",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1.135",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.6.88",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.12.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.14.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: bcsp: receive data only if registered\n\nCurrently, bcsp_recv() can be called even when the BCSP protocol has not\nbeen registered. This leads to a NULL pointer dereference, as shown in\nthe following stack trace:\n\n    KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f]\n    RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590\n    Call Trace:\n     \u003cTASK\u003e\n     hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627\n     tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290\n     tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706\n     vfs_ioctl fs/ioctl.c:51 [inline]\n     __do_sys_ioctl fs/ioctl.c:907 [inline]\n     __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893\n     do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n     do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94\n     entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nTo prevent this, ensure that the HCI_UART_REGISTERED flag is set before\nprocessing received data. If the protocol is not registered, return\n-EUNATCH."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:29.429Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/39a7d40314b6288cfa2d13269275e9247a7a055a"
        },
        {
          "url": "https://git.kernel.org/stable/c/164586725b47f9d61912e6bf17dbaffeff11710b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b65ca9708bfbf47d8b7bd44b7c574bd16798e9c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b892dbef3887dbe9afdc7176d1a5fd90e1636aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/799cd62cbcc3f12ee04b33ef390ff7d41c37d671"
        },
        {
          "url": "https://git.kernel.org/stable/c/b420a4c7f915fc1c94ad1f6ca740acc046d94334"
        },
        {
          "url": "https://git.kernel.org/stable/c/55c1519fca830f59a10bbf9aa8209c87b06cf7bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca94b2b036c22556c3a66f1b80f490882deef7a6"
        }
      ],
      "title": "Bluetooth: bcsp: receive data only if registered",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40308",
    "datePublished": "2025-12-08T00:46:33.729Z",
    "dateReserved": "2025-04-16T07:20:57.185Z",
    "dateUpdated": "2026-01-02T15:33:29.429Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40316 (GCVE-0-2025-40316)

Vulnerability from cvelistv5 – Published: 2025-12-08 00:46 – Updated: 2025-12-08 00:46

Title

drm/mediatek: Fix device use-after-free on unbind

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b ("drm/mediatek: Fix kobject put for component sub-drivers"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a5a896f8315de358a…
	https://git.kernel.org/stable/c/0142fe895986addf3…
	https://git.kernel.org/stable/c/8ba827e09eb586e95…
	https://git.kernel.org/stable/c/926d002e6d7e2f1fd…

Impacted products

Vendor

Product

Version

Linux

Affected: 7d98166183d627c0b9daca7672b2191fae0f8a03 , < a5a896f8315de358a2932e2c23c42d550256046a (git)
Affected: 31ce7c089b50c3d3056c37e0e25e7535e4428ae1 , < 0142fe895986addf35885b43440718e567121155 (git)
Affected: 1f403699c40f0806a707a9a6eed3b8904224021a , < 8ba827e09eb586e952d10e39406fa02d10bb591e (git)
Affected: 1f403699c40f0806a707a9a6eed3b8904224021a , < 926d002e6d7e2f1fd5c1b53cf6208153ee7d380d (git)
Affected: fae58d0155a979a8c414bbc12db09dd4b2f910d0 (git)

Linux

Affected: 6.17
Unaffected: 0 , < 6.17 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/mediatek/mtk_drm_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a5a896f8315de358a2932e2c23c42d550256046a",
              "status": "affected",
              "version": "7d98166183d627c0b9daca7672b2191fae0f8a03",
              "versionType": "git"
            },
            {
              "lessThan": "0142fe895986addf35885b43440718e567121155",
              "status": "affected",
              "version": "31ce7c089b50c3d3056c37e0e25e7535e4428ae1",
              "versionType": "git"
            },
            {
              "lessThan": "8ba827e09eb586e952d10e39406fa02d10bb591e",
              "status": "affected",
              "version": "1f403699c40f0806a707a9a6eed3b8904224021a",
              "versionType": "git"
            },
            {
              "lessThan": "926d002e6d7e2f1fd5c1b53cf6208153ee7d380d",
              "status": "affected",
              "version": "1f403699c40f0806a707a9a6eed3b8904224021a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fae58d0155a979a8c414bbc12db09dd4b2f910d0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/mediatek/mtk_drm_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.6.105",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.12.45",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.16.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix device use-after-free on unbind\n\nA recent change fixed device reference leaks when looking up drm\nplatform device driver data during bind() but failed to remove a partial\nfix which had been added by commit 80805b62ea5b (\"drm/mediatek: Fix\nkobject put for component sub-drivers\").\n\nThis results in a reference imbalance on component bind() failures and\non unbind() which could lead to a user-after-free.\n\nMake sure to only drop the references after retrieving the driver data\nby effectively reverting the previous partial fix.\n\nNote that holding a reference to a device does not prevent its driver\ndata from going away so there is no point in keeping the reference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-08T00:46:43.210Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a5a896f8315de358a2932e2c23c42d550256046a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0142fe895986addf35885b43440718e567121155"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ba827e09eb586e952d10e39406fa02d10bb591e"
        },
        {
          "url": "https://git.kernel.org/stable/c/926d002e6d7e2f1fd5c1b53cf6208153ee7d380d"
        }
      ],
      "title": "drm/mediatek: Fix device use-after-free on unbind",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40316",
    "datePublished": "2025-12-08T00:46:43.210Z",
    "dateReserved": "2025-04-16T07:20:57.186Z",
    "dateUpdated": "2025-12-08T00:46:43.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40252 (GCVE-0-2025-40252)

Vulnerability from cvelistv5 – Published: 2025-12-04 16:08 – Updated: 2025-12-06 21:38

Title

net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate over 'cqe->len_list[]' using only a zero-length terminator as the stopping condition. If the terminator was missing or malformed, the loop could run past the end of the fixed-size array. Add an explicit bound check using ARRAY_SIZE() in both loops to prevent a potential out-of-bounds access. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ecbb12caf399d7cf3…
	https://git.kernel.org/stable/c/a778912b4a53587ea…
	https://git.kernel.org/stable/c/f0923011c1261b33a…
	https://git.kernel.org/stable/c/917a9d02182ac8b4f…
	https://git.kernel.org/stable/c/e441db07f208184e0…
	https://git.kernel.org/stable/c/896f1a2493b59beb2…

Impacted products

Vendor

Product

Version

Linux

Affected: 55482edc25f0606851de42e73618f813f310d009 , < ecbb12caf399d7cf364b7553ed5aebeaa2f255bc (git)
Affected: 55482edc25f0606851de42e73618f813f310d009 , < a778912b4a53587ea07d85526d152f85d109cbfe (git)
Affected: 55482edc25f0606851de42e73618f813f310d009 , < f0923011c1261b33a2ac1de349256d39cb750dd0 (git)
Affected: 55482edc25f0606851de42e73618f813f310d009 , < 917a9d02182ac8b4f25eb47dc02f3ec679608c24 (git)
Affected: 55482edc25f0606851de42e73618f813f310d009 , < e441db07f208184e0466abf44b389a81d70c340e (git)
Affected: 55482edc25f0606851de42e73618f813f310d009 , < 896f1a2493b59beb2b5ccdf990503dbb16cb2256 (git)

Linux

Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/qlogic/qede/qede_fp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ecbb12caf399d7cf364b7553ed5aebeaa2f255bc",
              "status": "affected",
              "version": "55482edc25f0606851de42e73618f813f310d009",
              "versionType": "git"
            },
            {
              "lessThan": "a778912b4a53587ea07d85526d152f85d109cbfe",
              "status": "affected",
              "version": "55482edc25f0606851de42e73618f813f310d009",
              "versionType": "git"
            },
            {
              "lessThan": "f0923011c1261b33a2ac1de349256d39cb750dd0",
              "status": "affected",
              "version": "55482edc25f0606851de42e73618f813f310d009",
              "versionType": "git"
            },
            {
              "lessThan": "917a9d02182ac8b4f25eb47dc02f3ec679608c24",
              "status": "affected",
              "version": "55482edc25f0606851de42e73618f813f310d009",
              "versionType": "git"
            },
            {
              "lessThan": "e441db07f208184e0466abf44b389a81d70c340e",
              "status": "affected",
              "version": "55482edc25f0606851de42e73618f813f310d009",
              "versionType": "git"
            },
            {
              "lessThan": "896f1a2493b59beb2b5ccdf990503dbb16cb2256",
              "status": "affected",
              "version": "55482edc25f0606851de42e73618f813f310d009",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/qlogic/qede/qede_fp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()\n\nThe loops in \u0027qede_tpa_cont()\u0027 and \u0027qede_tpa_end()\u0027, iterate\nover \u0027cqe-\u003elen_list[]\u0027 using only a zero-length terminator as\nthe stopping condition. If the terminator was missing or\nmalformed, the loop could run past the end of the fixed-size array.\n\nAdd an explicit bound check using ARRAY_SIZE() in both loops to prevent\na potential out-of-bounds access.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:38:48.403Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ecbb12caf399d7cf364b7553ed5aebeaa2f255bc"
        },
        {
          "url": "https://git.kernel.org/stable/c/a778912b4a53587ea07d85526d152f85d109cbfe"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0923011c1261b33a2ac1de349256d39cb750dd0"
        },
        {
          "url": "https://git.kernel.org/stable/c/917a9d02182ac8b4f25eb47dc02f3ec679608c24"
        },
        {
          "url": "https://git.kernel.org/stable/c/e441db07f208184e0466abf44b389a81d70c340e"
        },
        {
          "url": "https://git.kernel.org/stable/c/896f1a2493b59beb2b5ccdf990503dbb16cb2256"
        }
      ],
      "title": "net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40252",
    "datePublished": "2025-12-04T16:08:14.393Z",
    "dateReserved": "2025-04-16T07:20:57.181Z",
    "dateUpdated": "2025-12-06T21:38:48.403Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50717 (GCVE-0-2022-50717)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2026-01-02 15:04

Title

nvmet-tcp: add bounds check on Transfer Tag

Summary

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds check on Transfer Tag ttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(), add a bounds check to avoid out-of-bounds access.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0d150ccd55dbfad36…
	https://git.kernel.org/stable/c/d5bb45f47b37d10f0…
	https://git.kernel.org/stable/c/ec8adf767e1cfa703…
	https://git.kernel.org/stable/c/fcf82e4553db911d1…
	https://git.kernel.org/stable/c/752593d04637ebdc8…
	https://git.kernel.org/stable/c/b6a545ffa2c192b1e…

Impacted products

Vendor

Product

Version

Linux

Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 0d150ccd55dbfad36f55855b40b381884c98456e (git)
Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < d5bb45f47b37d10f010355686b28c9ebacb361d4 (git)
Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < ec8adf767e1cfa7031f853b8c71ba1963f07df15 (git)
Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < fcf82e4553db911d10234ff2390cfd0e2aa854e4 (git)
Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < 752593d04637ebdc87fd29cba81897f21ae053f0 (git)
Affected: 872d26a391da92ed8f0c0f5cb5fef428067b7f30 , < b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0d150ccd55dbfad36f55855b40b381884c98456e",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "d5bb45f47b37d10f010355686b28c9ebacb361d4",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "ec8adf767e1cfa7031f853b8c71ba1963f07df15",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "fcf82e4553db911d10234ff2390cfd0e2aa854e4",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "752593d04637ebdc87fd29cba81897f21ae053f0",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: add bounds check on Transfer Tag\n\nttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(),\nadd a bounds check to avoid out-of-bounds access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:04:03.799Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0d150ccd55dbfad36f55855b40b381884c98456e"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5bb45f47b37d10f010355686b28c9ebacb361d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec8adf767e1cfa7031f853b8c71ba1963f07df15"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcf82e4553db911d10234ff2390cfd0e2aa854e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/752593d04637ebdc87fd29cba81897f21ae053f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b"
        }
      ],
      "title": "nvmet-tcp: add bounds check on Transfer Tag",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50717",
    "datePublished": "2025-12-24T12:22:41.269Z",
    "dateReserved": "2025-12-24T12:20:40.329Z",
    "dateUpdated": "2026-01-02T15:04:03.799Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40190 (GCVE-0-2025-40190)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:19

Title

ext4: guard against EA inode refcount underflow in xattr update

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117 Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARN_ONCE() as negative refcounts are now impossible; keep error reporting in ext4_error_inode(). This prevents the underflow and the follow-on orphan/cleanup churn.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ea39e712c2f5ae148…
	https://git.kernel.org/stable/c/1cfb3e4ddbdc8e02e…
	https://git.kernel.org/stable/c/505e69f76ac497e78…
	https://git.kernel.org/stable/c/3d6269028246f4484…
	https://git.kernel.org/stable/c/79ea7f3e11effe1bd…
	https://git.kernel.org/stable/c/6b879c4c6bbaab03c…
	https://git.kernel.org/stable/c/440b003f449a4ff2a…
	https://git.kernel.org/stable/c/57295e835408d8d42…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ea39e712c2f5ae148ee5515798ae03523673e002 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1cfb3e4ddbdc8e02e637b8852540bd4718bf4814 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 505e69f76ac497e788f4ea0267826ec7266b40c8 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 3d6269028246f4484bfed403c947a114bb583631 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 79ea7f3e11effe1bd9e753172981d9029133a278 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6b879c4c6bbaab03c0ad2a983953bd1410bb165e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 440b003f449a4ff2a00b08c8eab9ba5cd28f3943 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 57295e835408d8d425bef58da5253465db3d6888 (git)

Linux

Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.157 , ≤ 6.1.* (semver)
Unaffected: 6.6.113 , ≤ 6.6.* (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ea39e712c2f5ae148ee5515798ae03523673e002",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1cfb3e4ddbdc8e02e637b8852540bd4718bf4814",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "505e69f76ac497e788f4ea0267826ec7266b40c8",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "3d6269028246f4484bfed403c947a114bb583631",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "79ea7f3e11effe1bd9e753172981d9029133a278",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6b879c4c6bbaab03c0ad2a983953bd1410bb165e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "440b003f449a4ff2a00b08c8eab9ba5cd28f3943",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "57295e835408d8d425bef58da5253465db3d6888",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: guard against EA inode refcount underflow in xattr update\n\nsyzkaller found a path where ext4_xattr_inode_update_ref() reads an EA\ninode refcount that is already \u003c= 0 and then applies ref_change (often\n-1). That lets the refcount underflow and we proceed with a bogus value,\ntriggering errors like:\n\n  EXT4-fs error: EA inode \u003cn\u003e ref underflow: ref_count=-1 ref_change=-1\n  EXT4-fs warning: ea_inode dec ref err=-117\n\nMake the invariant explicit: if the current refcount is non-positive,\ntreat this as on-disk corruption, emit ext4_error_inode(), and fail the\noperation with -EFSCORRUPTED instead of updating the refcount. Delete the\nWARN_ONCE() as negative refcounts are now impossible; keep error reporting\nin ext4_error_inode().\n\nThis prevents the underflow and the follow-on orphan/cleanup churn."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:19:49.502Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ea39e712c2f5ae148ee5515798ae03523673e002"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cfb3e4ddbdc8e02e637b8852540bd4718bf4814"
        },
        {
          "url": "https://git.kernel.org/stable/c/505e69f76ac497e788f4ea0267826ec7266b40c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d6269028246f4484bfed403c947a114bb583631"
        },
        {
          "url": "https://git.kernel.org/stable/c/79ea7f3e11effe1bd9e753172981d9029133a278"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b879c4c6bbaab03c0ad2a983953bd1410bb165e"
        },
        {
          "url": "https://git.kernel.org/stable/c/440b003f449a4ff2a00b08c8eab9ba5cd28f3943"
        },
        {
          "url": "https://git.kernel.org/stable/c/57295e835408d8d425bef58da5253465db3d6888"
        }
      ],
      "title": "ext4: guard against EA inode refcount underflow in xattr update",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40190",
    "datePublished": "2025-11-12T21:56:30.914Z",
    "dateReserved": "2025-04-16T07:20:57.177Z",
    "dateUpdated": "2025-12-01T06:19:49.502Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68183 (GCVE-0-2025-68183)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34

Title

ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr

Summary

In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with "ima_appraise=fix evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include <stdio.h> #include <sys/xattr.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <stdlib.h> int main() { const char* file_path = "/usr/sbin/test_binary"; const char* hex_string = "030204d33204490066306402304"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror("Error opening file"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]); } if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } const char* selinux_value= "system_u:object_r:bin_t:s0"; if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } close(fd); return 0; }

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d2993a7e98eb70c73…
	https://git.kernel.org/stable/c/edd824eb45e4f7e05…
	https://git.kernel.org/stable/c/02aa671c08a4834be…
	https://git.kernel.org/stable/c/88b4cbcf6b041ae0f…

Impacted products

Vendor

Product

Version

Linux

Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < d2993a7e98eb70c737c6f5365a190e79c72b8407 (git)
Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < edd824eb45e4f7e05ad3ab090dab6dbdb79cd292 (git)
Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < 02aa671c08a4834bef5166743a7b88686fbfa023 (git)
Affected: e3ccfe1ad7d895487977ef64eda3441d16c9851a , < 88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/integrity/ima/ima_appraise.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d2993a7e98eb70c737c6f5365a190e79c72b8407",
              "status": "affected",
              "version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
              "versionType": "git"
            },
            {
              "lessThan": "edd824eb45e4f7e05ad3ab090dab6dbdb79cd292",
              "status": "affected",
              "version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
              "versionType": "git"
            },
            {
              "lessThan": "02aa671c08a4834bef5166743a7b88686fbfa023",
              "status": "affected",
              "version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
              "versionType": "git"
            },
            {
              "lessThan": "88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd",
              "status": "affected",
              "version": "e3ccfe1ad7d895487977ef64eda3441d16c9851a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/integrity/ima/ima_appraise.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nima: don\u0027t clear IMA_DIGSIG flag when setting or removing non-IMA xattr\n\nCurrently when both IMA and EVM are in fix mode, the IMA signature will\nbe reset to IMA hash if a program first stores IMA signature in\nsecurity.ima and then writes/removes some other security xattr for the\nfile.\n\nFor example, on Fedora, after booting the kernel with \"ima_appraise=fix\nevm=fix ima_policy=appraise_tcb\" and installing rpm-plugin-ima,\ninstalling/reinstalling a package will not make good reference IMA\nsignature generated. Instead IMA hash is generated,\n\n    # getfattr -m - -d -e hex /usr/bin/bash\n    # file: usr/bin/bash\n    security.ima=0x0404...\n\nThis happens because when setting security.selinux, the IMA_DIGSIG flag\nthat had been set early was cleared. As a result, IMA hash is generated\nwhen the file is closed.\n\nSimilarly, IMA signature can be cleared on file close after removing\nsecurity xattr like security.evm or setting/removing ACL.\n\nPrevent replacing the IMA file signature with a file hash, by preventing\nthe IMA_DIGSIG flag from being reset.\n\nHere\u0027s a minimal C reproducer which sets security.selinux as the last\nstep which can also replaced by removing security.evm or setting ACL,\n\n    #include \u003cstdio.h\u003e\n    #include \u003csys/xattr.h\u003e\n    #include \u003cfcntl.h\u003e\n    #include \u003cunistd.h\u003e\n    #include \u003cstring.h\u003e\n    #include \u003cstdlib.h\u003e\n\n    int main() {\n        const char* file_path = \"/usr/sbin/test_binary\";\n        const char* hex_string = \"030204d33204490066306402304\";\n        int length = strlen(hex_string);\n        char* ima_attr_value;\n        int fd;\n\n        fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644);\n        if (fd == -1) {\n            perror(\"Error opening file\");\n            return 1;\n        }\n\n        ima_attr_value = (char*)malloc(length / 2 );\n        for (int i = 0, j = 0; i \u003c length; i += 2, j++) {\n            sscanf(hex_string + i, \"%2hhx\", \u0026ima_attr_value[j]);\n        }\n\n        if (fsetxattr(fd, \"security.ima\", ima_attr_value, length/2, 0) == -1) {\n            perror(\"Error setting extended attribute\");\n            close(fd);\n            return 1;\n        }\n\n        const char* selinux_value= \"system_u:object_r:bin_t:s0\";\n        if (fsetxattr(fd, \"security.selinux\", selinux_value, strlen(selinux_value), 0) == -1) {\n            perror(\"Error setting extended attribute\");\n            close(fd);\n            return 1;\n        }\n\n        close(fd);\n\n        return 0;\n    }"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:14.370Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d2993a7e98eb70c737c6f5365a190e79c72b8407"
        },
        {
          "url": "https://git.kernel.org/stable/c/edd824eb45e4f7e05ad3ab090dab6dbdb79cd292"
        },
        {
          "url": "https://git.kernel.org/stable/c/02aa671c08a4834bef5166743a7b88686fbfa023"
        },
        {
          "url": "https://git.kernel.org/stable/c/88b4cbcf6b041ae0f2fc8a34554a5b6a83a2b7cd"
        }
      ],
      "title": "ima: don\u0027t clear IMA_DIGSIG flag when setting or removing non-IMA xattr",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68183",
    "datePublished": "2025-12-16T13:43:01.178Z",
    "dateReserved": "2025-12-16T13:41:40.252Z",
    "dateUpdated": "2026-01-02T15:34:14.370Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50742 (GCVE-0-2022-50742)

Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05

Title

misc: ocxl: fix possible refcount leak in afu_ioctl()

Summary

In the Linux kernel, the following vulnerability has been resolved: misc: ocxl: fix possible refcount leak in afu_ioctl() eventfd_ctx_put need to be called to put the refcount that gotten by eventfd_ctx_fdget when ocxl_irq_set_handler fails.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fc797285c40a9cc44…
	https://git.kernel.org/stable/c/7ba19a60c74fb0057…
	https://git.kernel.org/stable/c/11bd8bbdf8f6f5c11…
	https://git.kernel.org/stable/c/843433a02e344d30f…
	https://git.kernel.org/stable/c/66032c43291672bae…
	https://git.kernel.org/stable/c/c3b69ba5114c860d7…

Impacted products

Vendor

Product

Version

Linux

Affected: 060146614643ddc5978c73ffac0329762b4651c9 , < fc797285c40a9cc441357abb3521d3e51c743f67 (git)
Affected: 060146614643ddc5978c73ffac0329762b4651c9 , < 7ba19a60c74fb0057d4daef2fa2cbfc9522f3ba1 (git)
Affected: 060146614643ddc5978c73ffac0329762b4651c9 , < 11bd8bbdf8f6f5c1145bb158793107a57e3a1f07 (git)
Affected: 060146614643ddc5978c73ffac0329762b4651c9 , < 843433a02e344d30fbb62dfd834c60631baaa527 (git)
Affected: 060146614643ddc5978c73ffac0329762b4651c9 , < 66032c43291672bae8b93184d2806f05be3e16df (git)
Affected: 060146614643ddc5978c73ffac0329762b4651c9 , < c3b69ba5114c860d730870c03ab4ee45276e5e35 (git)

Linux

Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/ocxl/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fc797285c40a9cc441357abb3521d3e51c743f67",
              "status": "affected",
              "version": "060146614643ddc5978c73ffac0329762b4651c9",
              "versionType": "git"
            },
            {
              "lessThan": "7ba19a60c74fb0057d4daef2fa2cbfc9522f3ba1",
              "status": "affected",
              "version": "060146614643ddc5978c73ffac0329762b4651c9",
              "versionType": "git"
            },
            {
              "lessThan": "11bd8bbdf8f6f5c1145bb158793107a57e3a1f07",
              "status": "affected",
              "version": "060146614643ddc5978c73ffac0329762b4651c9",
              "versionType": "git"
            },
            {
              "lessThan": "843433a02e344d30fbb62dfd834c60631baaa527",
              "status": "affected",
              "version": "060146614643ddc5978c73ffac0329762b4651c9",
              "versionType": "git"
            },
            {
              "lessThan": "66032c43291672bae8b93184d2806f05be3e16df",
              "status": "affected",
              "version": "060146614643ddc5978c73ffac0329762b4651c9",
              "versionType": "git"
            },
            {
              "lessThan": "c3b69ba5114c860d730870c03ab4ee45276e5e35",
              "status": "affected",
              "version": "060146614643ddc5978c73ffac0329762b4651c9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/ocxl/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: ocxl: fix possible refcount leak in afu_ioctl()\n\neventfd_ctx_put need to be called to put the refcount that gotten by\neventfd_ctx_fdget when ocxl_irq_set_handler fails."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T13:05:39.566Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fc797285c40a9cc441357abb3521d3e51c743f67"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ba19a60c74fb0057d4daef2fa2cbfc9522f3ba1"
        },
        {
          "url": "https://git.kernel.org/stable/c/11bd8bbdf8f6f5c1145bb158793107a57e3a1f07"
        },
        {
          "url": "https://git.kernel.org/stable/c/843433a02e344d30fbb62dfd834c60631baaa527"
        },
        {
          "url": "https://git.kernel.org/stable/c/66032c43291672bae8b93184d2806f05be3e16df"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3b69ba5114c860d730870c03ab4ee45276e5e35"
        }
      ],
      "title": "misc: ocxl: fix possible refcount leak in afu_ioctl()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50742",
    "datePublished": "2025-12-24T13:05:39.566Z",
    "dateReserved": "2025-12-24T13:02:21.543Z",
    "dateUpdated": "2025-12-24T13:05:39.566Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68311 (GCVE-0-2025-68311)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:39 – Updated: 2026-01-02 15:34

Title

tty: serial: ip22zilog: Use platform device for probing

Summary

In the Linux kernel, the following vulnerability has been resolved: tty: serial: ip22zilog: Use platform device for probing After commit 84a9582fd203 ("serial: core: Start managing serial controllers to enable runtime PM") serial drivers need to provide a device in struct uart_port.dev otherwise an oops happens. To fix this issue for ip22zilog driver switch driver to a platform driver and setup the serial device in sgi-ip22 code.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/460e0dc9af2d7790d…
	https://git.kernel.org/stable/c/77a196ca904d66c83…
	https://git.kernel.org/stable/c/3fc36ae6abd263a5c…

Impacted products

Vendor

Product

Version

Linux

Affected: 84a9582fd203063cd4d301204971ff2cd8327f1a , < 460e0dc9af2d7790d5194c6743d79f9b77b58836 (git)
Affected: 84a9582fd203063cd4d301204971ff2cd8327f1a , < 77a196ca904d66c8372aa8fbfc1c4ae3a66dee2e (git)
Affected: 84a9582fd203063cd4d301204971ff2cd8327f1a , < 3fc36ae6abd263a5cbf93b2f5539eccc1fc753f7 (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/mips/sgi-ip22/ip22-platform.c",
            "drivers/tty/serial/ip22zilog.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "460e0dc9af2d7790d5194c6743d79f9b77b58836",
              "status": "affected",
              "version": "84a9582fd203063cd4d301204971ff2cd8327f1a",
              "versionType": "git"
            },
            {
              "lessThan": "77a196ca904d66c8372aa8fbfc1c4ae3a66dee2e",
              "status": "affected",
              "version": "84a9582fd203063cd4d301204971ff2cd8327f1a",
              "versionType": "git"
            },
            {
              "lessThan": "3fc36ae6abd263a5cbf93b2f5539eccc1fc753f7",
              "status": "affected",
              "version": "84a9582fd203063cd4d301204971ff2cd8327f1a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/mips/sgi-ip22/ip22-platform.c",
            "drivers/tty/serial/ip22zilog.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: serial: ip22zilog: Use platform device for probing\n\nAfter commit 84a9582fd203 (\"serial: core: Start managing serial controllers\nto enable runtime PM\") serial drivers need to provide a device in\nstruct uart_port.dev otherwise an oops happens. To fix this issue\nfor ip22zilog driver switch driver to a platform driver and setup\nthe serial device in sgi-ip22 code."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:55.431Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/460e0dc9af2d7790d5194c6743d79f9b77b58836"
        },
        {
          "url": "https://git.kernel.org/stable/c/77a196ca904d66c8372aa8fbfc1c4ae3a66dee2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3fc36ae6abd263a5cbf93b2f5539eccc1fc753f7"
        }
      ],
      "title": "tty: serial: ip22zilog: Use platform device for probing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68311",
    "datePublished": "2025-12-16T15:39:42.445Z",
    "dateReserved": "2025-12-16T14:48:05.294Z",
    "dateUpdated": "2026-01-02T15:34:55.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68238 (GCVE-0-2025-68238)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:08 – Updated: 2025-12-16 14:08

Title

mtd: rawnand: cadence: fix DMA device NULL pointer dereference

Summary

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: cadence: fix DMA device NULL pointer dereference The DMA device pointer `dma_dev` was being dereferenced before ensuring that `cdns_ctrl->dmac` is properly initialized. Move the assignment of `dma_dev` after successfully acquiring the DMA channel to ensure the pointer is valid before use.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2178b0255eae108bb…
	https://git.kernel.org/stable/c/9c58c64ec41290c12…
	https://git.kernel.org/stable/c/e282a4fdf3c6ee842…
	https://git.kernel.org/stable/c/b146e0b085d9d6bfe…
	https://git.kernel.org/stable/c/0c635241a62f2f5da…
	https://git.kernel.org/stable/c/0c2a43cb43786011b…
	https://git.kernel.org/stable/c/5c56bf214af85ca04…

Impacted products

Vendor

Product

Version

Linux

Affected: 0cae7c285f4771a9927ef592899234d307aea5d4 , < 2178b0255eae108bb10e5e99658b28641bc06f43 (git)
Affected: 099a316518508be7c57de4134ef919b2dea948ce , < 9c58c64ec41290c12490ca7e1df45013fbbb41fd (git)
Affected: e630d32162a8aab92d4aaebae0a8d93039257593 , < e282a4fdf3c6ee842a720010a8b5f7d77bedd126 (git)
Affected: ad9393467fbd788ac2b8a01e492e45ab1b68a1b1 , < b146e0b085d9d6bfe838e0a15481cba7d093c67f (git)
Affected: 0ce5416863965ddd86e066484a306867cf1e01a8 , < 0c635241a62f2f5da1b48bfffae226d1f86a76ef (git)
Affected: d76d22b5096c5b05208fd982b153b3f182350b19 , < 0c2a43cb43786011b48eeab6093db14888258c6b (git)
Affected: d76d22b5096c5b05208fd982b153b3f182350b19 , < 5c56bf214af85ca042bf97f8584aab2151035840 (git)
Affected: a33c7492dcdf804b705b6c21018a481414d48038 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/nand/raw/cadence-nand-controller.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2178b0255eae108bb10e5e99658b28641bc06f43",
              "status": "affected",
              "version": "0cae7c285f4771a9927ef592899234d307aea5d4",
              "versionType": "git"
            },
            {
              "lessThan": "9c58c64ec41290c12490ca7e1df45013fbbb41fd",
              "status": "affected",
              "version": "099a316518508be7c57de4134ef919b2dea948ce",
              "versionType": "git"
            },
            {
              "lessThan": "e282a4fdf3c6ee842a720010a8b5f7d77bedd126",
              "status": "affected",
              "version": "e630d32162a8aab92d4aaebae0a8d93039257593",
              "versionType": "git"
            },
            {
              "lessThan": "b146e0b085d9d6bfe838e0a15481cba7d093c67f",
              "status": "affected",
              "version": "ad9393467fbd788ac2b8a01e492e45ab1b68a1b1",
              "versionType": "git"
            },
            {
              "lessThan": "0c635241a62f2f5da1b48bfffae226d1f86a76ef",
              "status": "affected",
              "version": "0ce5416863965ddd86e066484a306867cf1e01a8",
              "versionType": "git"
            },
            {
              "lessThan": "0c2a43cb43786011b48eeab6093db14888258c6b",
              "status": "affected",
              "version": "d76d22b5096c5b05208fd982b153b3f182350b19",
              "versionType": "git"
            },
            {
              "lessThan": "5c56bf214af85ca042bf97f8584aab2151035840",
              "status": "affected",
              "version": "d76d22b5096c5b05208fd982b153b3f182350b19",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "a33c7492dcdf804b705b6c21018a481414d48038",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/nand/raw/cadence-nand-controller.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.10.235",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.15.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "6.1.130",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "6.6.80",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "6.12.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: cadence: fix DMA device NULL pointer dereference\n\nThe DMA device pointer `dma_dev` was being dereferenced before ensuring\nthat `cdns_ctrl-\u003edmac` is properly initialized.\n\nMove the assignment of `dma_dev` after successfully acquiring the DMA\nchannel to ensure the pointer is valid before use."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T14:08:31.672Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2178b0255eae108bb10e5e99658b28641bc06f43"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c58c64ec41290c12490ca7e1df45013fbbb41fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/e282a4fdf3c6ee842a720010a8b5f7d77bedd126"
        },
        {
          "url": "https://git.kernel.org/stable/c/b146e0b085d9d6bfe838e0a15481cba7d093c67f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c635241a62f2f5da1b48bfffae226d1f86a76ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c2a43cb43786011b48eeab6093db14888258c6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c56bf214af85ca042bf97f8584aab2151035840"
        }
      ],
      "title": "mtd: rawnand: cadence: fix DMA device NULL pointer dereference",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68238",
    "datePublished": "2025-12-16T14:08:31.672Z",
    "dateReserved": "2025-12-16T13:41:40.263Z",
    "dateUpdated": "2025-12-16T14:08:31.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-71120 (GCVE-0-2025-71120)

Vulnerability from cvelistv5 – Published: 2026-01-14 15:06 – Updated: 2026-01-19 12:20

Title

SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf

Summary

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a8f1e445ce3545c90…
	https://git.kernel.org/stable/c/4dedb6a11243a5c9e…
	https://git.kernel.org/stable/c/f9e53f69ac3bc4ef5…
	https://git.kernel.org/stable/c/7452d53f293379e2c…
	https://git.kernel.org/stable/c/a2c6f25ab98b423f9…
	https://git.kernel.org/stable/c/1c8bb965e9b0559ff…
	https://git.kernel.org/stable/c/d4b69a6186b215d2d…

Impacted products

Vendor

Product

Version

Linux

Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < a8f1e445ce3545c90d69c9e8ff8f7821825fe810 (git)
Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d (git)
Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < f9e53f69ac3bc4ef568b08d3542edac02e83fefd (git)
Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 7452d53f293379e2c38cfa8ad0694aa46fc4788b (git)
Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < a2c6f25ab98b423f99ccd94874d655b8bcb01a19 (git)
Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < 1c8bb965e9b0559ff0f5690615a527c30f651dd8 (git)
Affected: 5866efa8cbfbadf3905072798e96652faf02dbe8 , < d4b69a6186b215d2dc1ebcab965ed88e8d41768d (git)
Affected: 66ed7b413d31c6ff23901ac4443b1cc1af2f6113 (git)
Affected: 7be8c165dc81564705e8e0b72d398ef708f67eaa (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.18.3 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc3 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/auth_gss/svcauth_gss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a8f1e445ce3545c90d69c9e8ff8f7821825fe810",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "f9e53f69ac3bc4ef568b08d3542edac02e83fefd",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "7452d53f293379e2c38cfa8ad0694aa46fc4788b",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "a2c6f25ab98b423f99ccd94874d655b8bcb01a19",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "1c8bb965e9b0559ff0f5690615a527c30f651dd8",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "lessThan": "d4b69a6186b215d2dc1ebcab965ed88e8d41768d",
              "status": "affected",
              "version": "5866efa8cbfbadf3905072798e96652faf02dbe8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "66ed7b413d31c6ff23901ac4443b1cc1af2f6113",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7be8c165dc81564705e8e0b72d398ef708f67eaa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sunrpc/auth_gss/svcauth_gss.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc3",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.99",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf\n\nA zero length gss_token results in pages == 0 and in_token-\u003epages[0]\nis NULL. The code unconditionally evaluates\npage_address(in_token-\u003epages[0]) for the initial memcpy, which can\ndereference NULL even when the copy length is 0. Guard the first\nmemcpy so it only runs when length \u003e 0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:20:22.290Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a8f1e445ce3545c90d69c9e8ff8f7821825fe810"
        },
        {
          "url": "https://git.kernel.org/stable/c/4dedb6a11243a5c9eb9dbb97bca3c98bd725e83d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9e53f69ac3bc4ef568b08d3542edac02e83fefd"
        },
        {
          "url": "https://git.kernel.org/stable/c/7452d53f293379e2c38cfa8ad0694aa46fc4788b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2c6f25ab98b423f99ccd94874d655b8bcb01a19"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c8bb965e9b0559ff0f5690615a527c30f651dd8"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4b69a6186b215d2dc1ebcab965ed88e8d41768d"
        }
      ],
      "title": "SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71120",
    "datePublished": "2026-01-14T15:06:07.194Z",
    "dateReserved": "2026-01-13T15:30:19.654Z",
    "dateUpdated": "2026-01-19T12:20:22.290Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68198 (GCVE-0-2025-68198)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48

Title

crash: fix crashkernel resource shrink

Summary

In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,high, the kernel reserves 200MB of high memory and some default low memory (say 256MB). The reservation appears as: cat /proc/iomem | grep -i crash af000000-beffffff : Crash kernel 433000000-43f7fffff : Crash kernel If crashkernel is then shrunk to 50MB (echo 52428800 > /sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved: af000000-beffffff : Crash kernel Instead, it should show 50MB: af000000-b21fffff : Crash kernel Further shrinking crashkernel to 40MB causes a kernel crash with the following trace (x86): BUG: kernel NULL pointer dereference, address: 0000000000000038 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI <snip...> Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __release_resource+0xd/0xb0 release_resource+0x26/0x40 __crash_shrink_memory+0xe5/0x110 crash_shrink_memory+0x12a/0x190 kexec_crash_size_store+0x41/0x80 kernfs_fop_write_iter+0x141/0x1f0 vfs_write+0x294/0x460 ksys_write+0x6d/0xf0 <snip...> This happens because __crash_shrink_memory()/kernel/crash_core.c incorrectly updates the crashk_res resource object even when crashk_low_res should be updated. Fix this by ensuring the correct crashkernel resource object is updated when shrinking crashkernel memory.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f01f9c348d76d40bf…
	https://git.kernel.org/stable/c/f89c5e7077f63e45e…
	https://git.kernel.org/stable/c/a2bd247f8c6c5ac3f…
	https://git.kernel.org/stable/c/00fbff75c5acb4755…

Impacted products

Vendor

Product

Version

Linux

Affected: 16c6006af4d4e70ecef93977a5314409d931020b , < f01f9c348d76d40bf104a94449e3ce4057fdefee (git)
Affected: 16c6006af4d4e70ecef93977a5314409d931020b , < f89c5e7077f63e45e8ba5a77b7cf0803130367e6 (git)
Affected: 16c6006af4d4e70ecef93977a5314409d931020b , < a2bd247f8c6c5ac3f0ba823a2fffd77bb9cdf618 (git)
Affected: 16c6006af4d4e70ecef93977a5314409d931020b , < 00fbff75c5acb4755f06f08bd1071879c63940c5 (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/crash_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f01f9c348d76d40bf104a94449e3ce4057fdefee",
              "status": "affected",
              "version": "16c6006af4d4e70ecef93977a5314409d931020b",
              "versionType": "git"
            },
            {
              "lessThan": "f89c5e7077f63e45e8ba5a77b7cf0803130367e6",
              "status": "affected",
              "version": "16c6006af4d4e70ecef93977a5314409d931020b",
              "versionType": "git"
            },
            {
              "lessThan": "a2bd247f8c6c5ac3f0ba823a2fffd77bb9cdf618",
              "status": "affected",
              "version": "16c6006af4d4e70ecef93977a5314409d931020b",
              "versionType": "git"
            },
            {
              "lessThan": "00fbff75c5acb4755f06f08bd1071879c63940c5",
              "status": "affected",
              "version": "16c6006af4d4e70ecef93977a5314409d931020b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/crash_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrash: fix crashkernel resource shrink\n\nWhen crashkernel is configured with a high reservation, shrinking its\nvalue below the low crashkernel reservation causes two issues:\n\n1. Invalid crashkernel resource objects\n2. Kernel crash if crashkernel shrinking is done twice\n\nFor example, with crashkernel=200M,high, the kernel reserves 200MB of high\nmemory and some default low memory (say 256MB).  The reservation appears\nas:\n\ncat /proc/iomem | grep -i crash\naf000000-beffffff : Crash kernel\n433000000-43f7fffff : Crash kernel\n\nIf crashkernel is then shrunk to 50MB (echo 52428800 \u003e\n/sys/kernel/kexec_crash_size), /proc/iomem still shows 256MB reserved:\naf000000-beffffff : Crash kernel\n\nInstead, it should show 50MB:\naf000000-b21fffff : Crash kernel\n\nFurther shrinking crashkernel to 40MB causes a kernel crash with the\nfollowing trace (x86):\n\nBUG: kernel NULL pointer dereference, address: 0000000000000038\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\n\u003csnip...\u003e\nCall Trace: \u003cTASK\u003e\n? __die_body.cold+0x19/0x27\n? page_fault_oops+0x15a/0x2f0\n? search_module_extables+0x19/0x60\n? search_bpf_extables+0x5f/0x80\n? exc_page_fault+0x7e/0x180\n? asm_exc_page_fault+0x26/0x30\n? __release_resource+0xd/0xb0\nrelease_resource+0x26/0x40\n__crash_shrink_memory+0xe5/0x110\ncrash_shrink_memory+0x12a/0x190\nkexec_crash_size_store+0x41/0x80\nkernfs_fop_write_iter+0x141/0x1f0\nvfs_write+0x294/0x460\nksys_write+0x6d/0xf0\n\u003csnip...\u003e\n\nThis happens because __crash_shrink_memory()/kernel/crash_core.c\nincorrectly updates the crashk_res resource object even when\ncrashk_low_res should be updated.\n\nFix this by ensuring the correct crashkernel resource object is updated\nwhen shrinking crashkernel memory."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:48:26.998Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f01f9c348d76d40bf104a94449e3ce4057fdefee"
        },
        {
          "url": "https://git.kernel.org/stable/c/f89c5e7077f63e45e8ba5a77b7cf0803130367e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2bd247f8c6c5ac3f0ba823a2fffd77bb9cdf618"
        },
        {
          "url": "https://git.kernel.org/stable/c/00fbff75c5acb4755f06f08bd1071879c63940c5"
        }
      ],
      "title": "crash: fix crashkernel resource shrink",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68198",
    "datePublished": "2025-12-16T13:48:26.998Z",
    "dateReserved": "2025-12-16T13:41:40.254Z",
    "dateUpdated": "2025-12-16T13:48:26.998Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68747 (GCVE-0-2025-68747)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2025-12-24 12:09

Title

drm/panthor: Fix UAF on kernel BO VA nodes

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF on kernel BO VA nodes If the MMU is down, panthor_vm_unmap_range() might return an error. We expect the page table to be updated still, and if the MMU is blocked, the rest of the GPU should be blocked too, so no risk of accessing physical memory returned to the system (which the current code doesn't cover for anyway). Proceed with the rest of the cleanup instead of bailing out and leaving the va_node inserted in the drm_mm, which leads to UAF when other adjacent nodes are removed from the drm_mm tree.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5a0060ddfc1fcfdb0…
	https://git.kernel.org/stable/c/1123eadb843588b36…
	https://git.kernel.org/stable/c/0612704b6f6ddf2ae…
	https://git.kernel.org/stable/c/98dd5143447af0ee3…

Impacted products

Vendor

Product

Version

Linux

Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391 (git)
Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 1123eadb843588b361c96f53a771202b7953154f (git)
Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 0612704b6f6ddf2ae223019c52148c5ac76cf70e (git)
Affected: 8a1cc07578bf42d85f008316873d710ff684dd29 , < 98dd5143447af0ee33551776d8b2560c35d0bc4a (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panthor/panthor_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391",
              "status": "affected",
              "version": "8a1cc07578bf42d85f008316873d710ff684dd29",
              "versionType": "git"
            },
            {
              "lessThan": "1123eadb843588b361c96f53a771202b7953154f",
              "status": "affected",
              "version": "8a1cc07578bf42d85f008316873d710ff684dd29",
              "versionType": "git"
            },
            {
              "lessThan": "0612704b6f6ddf2ae223019c52148c5ac76cf70e",
              "status": "affected",
              "version": "8a1cc07578bf42d85f008316873d710ff684dd29",
              "versionType": "git"
            },
            {
              "lessThan": "98dd5143447af0ee33551776d8b2560c35d0bc4a",
              "status": "affected",
              "version": "8a1cc07578bf42d85f008316873d710ff684dd29",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panthor/panthor_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix UAF on kernel BO VA nodes\n\nIf the MMU is down, panthor_vm_unmap_range() might return an error.\nWe expect the page table to be updated still, and if the MMU is blocked,\nthe rest of the GPU should be blocked too, so no risk of accessing\nphysical memory returned to the system (which the current code doesn\u0027t\ncover for anyway).\n\nProceed with the rest of the cleanup instead of bailing out and leaving\nthe va_node inserted in the drm_mm, which leads to UAF when other\nadjacent nodes are removed from the drm_mm tree."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:09:42.925Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5a0060ddfc1fcfdb0f7b4fa1b7b3b0c436151391"
        },
        {
          "url": "https://git.kernel.org/stable/c/1123eadb843588b361c96f53a771202b7953154f"
        },
        {
          "url": "https://git.kernel.org/stable/c/0612704b6f6ddf2ae223019c52148c5ac76cf70e"
        },
        {
          "url": "https://git.kernel.org/stable/c/98dd5143447af0ee33551776d8b2560c35d0bc4a"
        }
      ],
      "title": "drm/panthor: Fix UAF on kernel BO VA nodes",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68747",
    "datePublished": "2025-12-24T12:09:42.925Z",
    "dateReserved": "2025-12-24T10:30:51.031Z",
    "dateUpdated": "2025-12-24T12:09:42.925Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39977 (GCVE-0-2025-39977)

Vulnerability from cvelistv5 – Published: 2025-10-15 07:55 – Updated: 2025-10-15 07:55

Title

futex: Prevent use-after-free during requeue-PI

Summary

In the Linux kernel, the following vulnerability has been resolved: futex: Prevent use-after-free during requeue-PI syzbot managed to trigger the following race: T1 T2 futex_wait_requeue_pi() futex_do_wait() schedule() futex_requeue() futex_proxy_trylock_atomic() futex_requeue_pi_prepare() requeue_pi_wake_futex() futex_requeue_pi_complete() /* preempt */ * timeout/ signal wakes T1 * futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED futex_hash_put() // back to userland, on stack futex_q is garbage /* back */ wake_up_state(q->task, TASK_NORMAL); In this scenario futex_wait_requeue_pi() is able to leave without using futex_q::lock_ptr for synchronization. This can be prevented by reading futex_q::task before updating the futex_q::requeue_state. A reference on the task_struct is not needed because requeue_pi_wake_futex() is invoked with a spinlock_t held which implies a RCU read section. Even if T1 terminates immediately after, the task_struct will remain valid during T2's wake_up_state(). A READ_ONCE on futex_q::task before futex_requeue_pi_complete() is enough because it ensures that the variable is read before the state is updated. Read futex_q::task before updating the requeue state, use it for the following wakeup.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cb5d19a61274b51b4…
	https://git.kernel.org/stable/c/348736955ed6ca6e9…
	https://git.kernel.org/stable/c/a170b9c0dde83312b…
	https://git.kernel.org/stable/c/d824b2dbdcfe3c390…
	https://git.kernel.org/stable/c/b549113738e8c751b…

Impacted products

Vendor

Product

Version

Linux

Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < cb5d19a61274b51b49601214a87af573b43d60fa (git)
Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < 348736955ed6ca6e99ca24b93b1d3fbfe352c181 (git)
Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < a170b9c0dde83312b8b58ccc91509c7c15711641 (git)
Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < d824b2dbdcfe3c390278dd9652ea526168ef6850 (git)
Affected: 07d91ef510fb16a2e0ca7453222105835b7ba3b8 , < b549113738e8c751b613118032a724b772aa83f2 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.1.155 , ≤ 6.1.* (semver)
Unaffected: 6.6.109 , ≤ 6.6.* (semver)
Unaffected: 6.12.50 , ≤ 6.12.* (semver)
Unaffected: 6.16.10 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/futex/requeue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb5d19a61274b51b49601214a87af573b43d60fa",
              "status": "affected",
              "version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
              "versionType": "git"
            },
            {
              "lessThan": "348736955ed6ca6e99ca24b93b1d3fbfe352c181",
              "status": "affected",
              "version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
              "versionType": "git"
            },
            {
              "lessThan": "a170b9c0dde83312b8b58ccc91509c7c15711641",
              "status": "affected",
              "version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
              "versionType": "git"
            },
            {
              "lessThan": "d824b2dbdcfe3c390278dd9652ea526168ef6850",
              "status": "affected",
              "version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
              "versionType": "git"
            },
            {
              "lessThan": "b549113738e8c751b613118032a724b772aa83f2",
              "status": "affected",
              "version": "07d91ef510fb16a2e0ca7453222105835b7ba3b8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/futex/requeue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.155",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.109",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.50",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.155",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.109",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.50",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.10",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfutex: Prevent use-after-free during requeue-PI\n\nsyzbot managed to trigger the following race:\n\n   T1                               T2\n\n futex_wait_requeue_pi()\n   futex_do_wait()\n     schedule()\n                               futex_requeue()\n                                 futex_proxy_trylock_atomic()\n                                   futex_requeue_pi_prepare()\n                                   requeue_pi_wake_futex()\n                                     futex_requeue_pi_complete()\n                                      /* preempt */\n\n         * timeout/ signal wakes T1 *\n\n   futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED\n   futex_hash_put()\n  // back to userland, on stack futex_q is garbage\n\n                                      /* back */\n                                     wake_up_state(q-\u003etask, TASK_NORMAL);\n\nIn this scenario futex_wait_requeue_pi() is able to leave without using\nfutex_q::lock_ptr for synchronization.\n\nThis can be prevented by reading futex_q::task before updating the\nfutex_q::requeue_state. A reference on the task_struct is not needed\nbecause requeue_pi_wake_futex() is invoked with a spinlock_t held which\nimplies a RCU read section.\n\nEven if T1 terminates immediately after, the task_struct will remain valid\nduring T2\u0027s wake_up_state().  A READ_ONCE on futex_q::task before\nfutex_requeue_pi_complete() is enough because it ensures that the variable\nis read before the state is updated.\n\nRead futex_q::task before updating the requeue state, use it for the\nfollowing wakeup."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-15T07:55:58.283Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb5d19a61274b51b49601214a87af573b43d60fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/348736955ed6ca6e99ca24b93b1d3fbfe352c181"
        },
        {
          "url": "https://git.kernel.org/stable/c/a170b9c0dde83312b8b58ccc91509c7c15711641"
        },
        {
          "url": "https://git.kernel.org/stable/c/d824b2dbdcfe3c390278dd9652ea526168ef6850"
        },
        {
          "url": "https://git.kernel.org/stable/c/b549113738e8c751b613118032a724b772aa83f2"
        }
      ],
      "title": "futex: Prevent use-after-free during requeue-PI",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39977",
    "datePublished": "2025-10-15T07:55:58.283Z",
    "dateReserved": "2025-04-16T07:20:57.150Z",
    "dateUpdated": "2025-10-15T07:55:58.283Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21772 (GCVE-0-2025-21772)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2026-01-02 15:28

Title

partitions: mac: fix handling of bogus partition table

Summary

In the Linux kernel, the following vulnerability has been resolved: partitions: mac: fix handling of bogus partition table Fix several issues in partition probing: - The bailout for a bad partoffset must use put_dev_sector(), since the preceding read_part_sector() succeeded. - If the partition table claims a silly sector size like 0xfff bytes (which results in partition table entries straddling sector boundaries), bail out instead of accessing out-of-bounds memory. - We must not assume that the partition table contains proper NUL termination - use strnlen() and strncmp() instead of strlen() and strcmp().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a3e77da9f843e4ab9…
	https://git.kernel.org/stable/c/213ba5bd81b7e97ac…
	https://git.kernel.org/stable/c/40a35d14f3c0dc72b…
	https://git.kernel.org/stable/c/27a39d006f85e869b…
	https://git.kernel.org/stable/c/92527100be38ede92…
	https://git.kernel.org/stable/c/6578717ebca916781…
	https://git.kernel.org/stable/c/7fa9706722882f634…
	https://git.kernel.org/stable/c/80e648042e512d5a7…

Impacted products

Vendor

Product

Version

Linux

Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < a3e77da9f843e4ab93917d30c314f0283e28c124 (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 213ba5bd81b7e97ac6e6190b8f3bc6ba76123625 (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 40a35d14f3c0dc72b689061ec72fc9b193f37d1f (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 27a39d006f85e869be68c1d5d2ce05e5d6445bf5 (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 92527100be38ede924768f4277450dfe8a40e16b (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 6578717ebca91678131d2b1f4ba4258e60536e9f (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 7fa9706722882f634090bfc9af642bf9ed719e27 (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 80e648042e512d5a767da251d44132553fe04ae0 (git)
Affected: 81a319c5c29913a23947f3d28513974682f3af03 (git)
Affected: 34a906cd9f6445d9510841667eff0d980279ebf3 (git)
Affected: 2a27f61bd411e564eb4651c18d225f6e9e1de534 (git)
Affected: 69aad7e01c8e883e9d2f8dc5523bd419bd02d2aa (git)
Affected: 7f4f03c4a1e9a4b9679feafe7625a780864a4e76 (git)

Linux

Affected: 4.4
Unaffected: 0 , < 4.4 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.79 , ≤ 6.6.* (semver)
Unaffected: 6.12.16 , ≤ 6.12.* (semver)
Unaffected: 6.13.4 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:37:27.124Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/partitions/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a3e77da9f843e4ab93917d30c314f0283e28c124",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "213ba5bd81b7e97ac6e6190b8f3bc6ba76123625",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "40a35d14f3c0dc72b689061ec72fc9b193f37d1f",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "27a39d006f85e869be68c1d5d2ce05e5d6445bf5",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "92527100be38ede924768f4277450dfe8a40e16b",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "6578717ebca91678131d2b1f4ba4258e60536e9f",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "7fa9706722882f634090bfc9af642bf9ed719e27",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "80e648042e512d5a767da251d44132553fe04ae0",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "81a319c5c29913a23947f3d28513974682f3af03",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "34a906cd9f6445d9510841667eff0d980279ebf3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2a27f61bd411e564eb4651c18d225f6e9e1de534",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "69aad7e01c8e883e9d2f8dc5523bd419bd02d2aa",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7f4f03c4a1e9a4b9679feafe7625a780864a4e76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/partitions/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.4"
            },
            {
              "lessThan": "4.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.4.113",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.99",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.56",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.63",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npartitions: mac: fix handling of bogus partition table\n\nFix several issues in partition probing:\n\n - The bailout for a bad partoffset must use put_dev_sector(), since the\n   preceding read_part_sector() succeeded.\n - If the partition table claims a silly sector size like 0xfff bytes\n   (which results in partition table entries straddling sector boundaries),\n   bail out instead of accessing out-of-bounds memory.\n - We must not assume that the partition table contains proper NUL\n   termination - use strnlen() and strncmp() instead of strlen() and\n   strcmp()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:28:33.911Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a3e77da9f843e4ab93917d30c314f0283e28c124"
        },
        {
          "url": "https://git.kernel.org/stable/c/213ba5bd81b7e97ac6e6190b8f3bc6ba76123625"
        },
        {
          "url": "https://git.kernel.org/stable/c/40a35d14f3c0dc72b689061ec72fc9b193f37d1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/27a39d006f85e869be68c1d5d2ce05e5d6445bf5"
        },
        {
          "url": "https://git.kernel.org/stable/c/92527100be38ede924768f4277450dfe8a40e16b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6578717ebca91678131d2b1f4ba4258e60536e9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fa9706722882f634090bfc9af642bf9ed719e27"
        },
        {
          "url": "https://git.kernel.org/stable/c/80e648042e512d5a767da251d44132553fe04ae0"
        }
      ],
      "title": "partitions: mac: fix handling of bogus partition table",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21772",
    "datePublished": "2025-02-27T02:18:19.528Z",
    "dateReserved": "2024-12-29T08:45:45.762Z",
    "dateUpdated": "2026-01-02T15:28:33.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38068 (GCVE-0-2025-38068)

Vulnerability from cvelistv5 – Published: 2025-06-18 09:33 – Updated: 2026-01-02 15:29

Title

crypto: lzo - Fix compression buffer overrun

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4b173bb2c4665c23f…
	https://git.kernel.org/stable/c/a98bd864e16f91c70…
	https://git.kernel.org/stable/c/0acdc4d6e679ba31d…
	https://git.kernel.org/stable/c/7caad075acb634a74…
	https://git.kernel.org/stable/c/167373d77c70c2b55…
	https://git.kernel.org/stable/c/cc47f07234f72cbd8…

Impacted products

Vendor

Product

Version

Linux

Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111 (git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < a98bd864e16f91c70b2469adf013d713d04d1d13 (git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a (git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 7caad075acb634a74911830d6386c50ea12566cd (git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < 167373d77c70c2b558aae3e327b115249bb2652c (git)
Affected: 64c70b1cf43de158282bc1675918d503e5b15cc1 , < cc47f07234f72cbd8e2c973cdbf2a6730660a463 (git)

Linux

Affected: 2.6.23
Unaffected: 0 , < 2.6.23 (semver)
Unaffected: 5.15.185 , ≤ 5.15.* (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.31 , ≤ 6.12.* (semver)
Unaffected: 6.14.9 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:37.495Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "crypto/lzo-rle.c",
            "crypto/lzo.c",
            "include/linux/lzo.h",
            "lib/lzo/Makefile",
            "lib/lzo/lzo1x_compress.c",
            "lib/lzo/lzo1x_compress_safe.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            },
            {
              "lessThan": "a98bd864e16f91c70b2469adf013d713d04d1d13",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            },
            {
              "lessThan": "0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            },
            {
              "lessThan": "7caad075acb634a74911830d6386c50ea12566cd",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            },
            {
              "lessThan": "167373d77c70c2b558aae3e327b115249bb2652c",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            },
            {
              "lessThan": "cc47f07234f72cbd8e2c973cdbf2a6730660a463",
              "status": "affected",
              "version": "64c70b1cf43de158282bc1675918d503e5b15cc1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "crypto/lzo-rle.c",
            "crypto/lzo.c",
            "include/linux/lzo.h",
            "lib/lzo/Makefile",
            "lib/lzo/lzo1x_compress.c",
            "lib/lzo/lzo1x_compress_safe.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.23"
            },
            {
              "lessThan": "2.6.23",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.23",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lzo - Fix compression buffer overrun\n\nUnlike the decompression code, the compression code in LZO never\nchecked for output overruns.  It instead assumes that the caller\nalways provides enough buffer space, disregarding the buffer length\nprovided by the caller.\n\nAdd a safe compression interface that checks for the end of buffer\nbefore each write.  Use the safe interface in crypto/lzo."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:57.023Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111"
        },
        {
          "url": "https://git.kernel.org/stable/c/a98bd864e16f91c70b2469adf013d713d04d1d13"
        },
        {
          "url": "https://git.kernel.org/stable/c/0acdc4d6e679ba31d01e3e7e2e4124b76d6d8e2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7caad075acb634a74911830d6386c50ea12566cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/167373d77c70c2b558aae3e327b115249bb2652c"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc47f07234f72cbd8e2c973cdbf2a6730660a463"
        }
      ],
      "title": "crypto: lzo - Fix compression buffer overrun",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38068",
    "datePublished": "2025-06-18T09:33:46.125Z",
    "dateReserved": "2025-04-16T04:51:23.980Z",
    "dateUpdated": "2026-01-02T15:29:57.023Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40269 (GCVE-0-2025-40269)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-01-02 15:33

Title

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0].

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/480a1490c595a242f…
	https://git.kernel.org/stable/c/ab0b5e92fc36ee82c…
	https://git.kernel.org/stable/c/282aba56713bbc581…
	https://git.kernel.org/stable/c/c4dc012b027c9eb10…
	https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b…
	https://git.kernel.org/stable/c/d67dde02049e632ba…
	https://git.kernel.org/stable/c/6a5da3fa80affc948…
	https://git.kernel.org/stable/c/217d47255a2ec8b24…
	https://git.kernel.org/stable/c/ef592bf2232a2daa9…
	https://git.kernel.org/stable/c/ece3b981bb6620e47…
	https://git.kernel.org/stable/c/98e9d5e33bda8db87…
	https://git.kernel.org/stable/c/d2c04f20ccc6c0d21…
	https://git.kernel.org/stable/c/05a1fc5efdd8560f3…

Impacted products

Vendor

Product

Version

Linux

Affected: 02c56650f3c118d3752122996d96173d26bb13aa , < 480a1490c595a242f27493a4544b3efb21b29f6a (git)
Affected: 5ef30e443e6d3654cccecec99cf481a69a0a6d3b , < ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41 (git)
Affected: 99703c921864a318e3e8aae74fde071b1ff35bea , < 282aba56713bbc58155716b55ca7222b2d9cf3c8 (git)
Affected: 2d50acd7dbd0682a56968ad9551341d7fc5b6eaf , < c4dc012b027c9eb101583011089dea14d744e314 (git)
Affected: aba41867dd66939d336fdf604e4d73b805d8039f , < e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360 (git)
Affected: d288dc74f8cf95cb7ae0aaf245b7128627a49bf3 , < d67dde02049e632ba58d3c44a164a74b6a737154 (git)
Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 6a5da3fa80affc948923f20a4e086177f505e86e (git)
Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 217d47255a2ec8b246f2725f5db9ac3f1d4109d7 (git)
Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < ef592bf2232a2daa9fffa8881881fc9957ea56e9 (git)
Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < ece3b981bb6620e47fac826a2156c090b1a936a0 (git)
Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 98e9d5e33bda8db875cc1a4fe99c192658e45ab6 (git)
Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < d2c04f20ccc6c0d219e6d3038bab45bc66a178ad (git)
Affected: f0bd62b64016508938df9babe47f65c2c727d25c , < 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 4.4.230 , ≤ 4.4.* (semver)
Unaffected: 4.9.230 , ≤ 4.9.* (semver)
Unaffected: 4.14.188 , ≤ 4.14.* (semver)
Unaffected: 4.19.132 , ≤ 4.19.* (semver)
Unaffected: 5.4.51 , ≤ 5.4.* (semver)
Unaffected: 5.7.8 , ≤ 5.7.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/endpoint.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "480a1490c595a242f27493a4544b3efb21b29f6a",
              "status": "affected",
              "version": "02c56650f3c118d3752122996d96173d26bb13aa",
              "versionType": "git"
            },
            {
              "lessThan": "ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41",
              "status": "affected",
              "version": "5ef30e443e6d3654cccecec99cf481a69a0a6d3b",
              "versionType": "git"
            },
            {
              "lessThan": "282aba56713bbc58155716b55ca7222b2d9cf3c8",
              "status": "affected",
              "version": "99703c921864a318e3e8aae74fde071b1ff35bea",
              "versionType": "git"
            },
            {
              "lessThan": "c4dc012b027c9eb101583011089dea14d744e314",
              "status": "affected",
              "version": "2d50acd7dbd0682a56968ad9551341d7fc5b6eaf",
              "versionType": "git"
            },
            {
              "lessThan": "e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360",
              "status": "affected",
              "version": "aba41867dd66939d336fdf604e4d73b805d8039f",
              "versionType": "git"
            },
            {
              "lessThan": "d67dde02049e632ba58d3c44a164a74b6a737154",
              "status": "affected",
              "version": "d288dc74f8cf95cb7ae0aaf245b7128627a49bf3",
              "versionType": "git"
            },
            {
              "lessThan": "6a5da3fa80affc948923f20a4e086177f505e86e",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "217d47255a2ec8b246f2725f5db9ac3f1d4109d7",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "ef592bf2232a2daa9fffa8881881fc9957ea56e9",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "ece3b981bb6620e47fac826a2156c090b1a936a0",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "98e9d5e33bda8db875cc1a4fe99c192658e45ab6",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "d2c04f20ccc6c0d219e6d3038bab45bc66a178ad",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            },
            {
              "lessThan": "05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf",
              "status": "affected",
              "version": "f0bd62b64016508938df9babe47f65c2c727d25c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/endpoint.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.4.*",
              "status": "unaffected",
              "version": "4.4.230",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.230",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.188",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.7.*",
              "status": "unaffected",
              "version": "5.7.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.4.230",
                  "versionStartIncluding": "4.4.229",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.230",
                  "versionStartIncluding": "4.9.229",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.188",
                  "versionStartIncluding": "4.14.186",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.132",
                  "versionStartIncluding": "4.19.130",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.51",
                  "versionStartIncluding": "5.4.49",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.7.8",
                  "versionStartIncluding": "5.7.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential overflow of PCM transfer buffer\n\nThe PCM stream data in USB-audio driver is transferred over USB URB\npacket buffers, and each packet size is determined dynamically.  The\npacket sizes are limited by some factors such as wMaxPacketSize USB\ndescriptor.  OTOH, in the current code, the actually used packet sizes\nare determined only by the rate and the PPS, which may be bigger than\nthe size limit above.  This results in a buffer overflow, as reported\nby syzbot.\n\nBasically when the limit is smaller than the calculated packet size,\nit implies that something is wrong, most likely a weird USB\ndescriptor.  So the best option would be just to return an error at\nthe parameter setup time before doing any further operations.\n\nThis patch introduces such a sanity check, and returns -EINVAL when\nthe packet size is greater than maxpacksize.  The comparison with\nep-\u003epacksize[1] alone should suffice since it\u0027s always equal or\ngreater than ep-\u003epacksize[0]."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:20.414Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/480a1490c595a242f27493a4544b3efb21b29f6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab0b5e92fc36ee82c1bd01fe896d0f775ed5de41"
        },
        {
          "url": "https://git.kernel.org/stable/c/282aba56713bbc58155716b55ca7222b2d9cf3c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4dc012b027c9eb101583011089dea14d744e314"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0ed5a36fb3ab9e7b9ee45cd17f09f6d5f594360"
        },
        {
          "url": "https://git.kernel.org/stable/c/d67dde02049e632ba58d3c44a164a74b6a737154"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a5da3fa80affc948923f20a4e086177f505e86e"
        },
        {
          "url": "https://git.kernel.org/stable/c/217d47255a2ec8b246f2725f5db9ac3f1d4109d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef592bf2232a2daa9fffa8881881fc9957ea56e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/ece3b981bb6620e47fac826a2156c090b1a936a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/98e9d5e33bda8db875cc1a4fe99c192658e45ab6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2c04f20ccc6c0d219e6d3038bab45bc66a178ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf"
        }
      ],
      "title": "ALSA: usb-audio: Fix potential overflow of PCM transfer buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40269",
    "datePublished": "2025-12-06T21:50:50.229Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2026-01-02T15:33:20.414Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40340 (GCVE-0-2025-40340)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:09 – Updated: 2025-12-20 08:52

Title

drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test. I saw an oops in xe_gem_fault when running the xe-fast-feedback testlist against the realtime kernel without debug options enabled. The panic happens after core_hotunplug unbind-rebind finishes. Presumably what happens is that a process mmaps, unlocks because of the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left, causing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since there was nothing left to populate, and then oopses in "mem_type_is_vram(tbo->resource->mem_type)" because tbo->resource is NULL. It's convoluted, but fits the data and explains the oops after the test exits.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/99428bd6123d56762…
	https://git.kernel.org/stable/c/29a3064f9c5a908aa…
	https://git.kernel.org/stable/c/1cda3c755bb7770be…

Impacted products

Vendor

Product

Version

Linux

Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 99428bd6123d5676209dfb1d7a8f176cc830b665 (git)
Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 29a3064f9c5a908aaf0b39cd6ed30374db11840d (git)
Affected: dd08ebf6c3525a7ea2186e636df064ea47281987 , < 1cda3c755bb7770be07d75949bb0f45fb88651f6 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_bo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "99428bd6123d5676209dfb1d7a8f176cc830b665",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            },
            {
              "lessThan": "29a3064f9c5a908aaf0b39cd6ed30374db11840d",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            },
            {
              "lessThan": "1cda3c755bb7770be07d75949bb0f45fb88651f6",
              "status": "affected",
              "version": "dd08ebf6c3525a7ea2186e636df064ea47281987",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_bo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.\n\nI saw an oops in xe_gem_fault when running the xe-fast-feedback\ntestlist against the realtime kernel without debug options enabled.\n\nThe panic happens after core_hotunplug unbind-rebind finishes.\nPresumably what happens is that a process mmaps, unlocks because\nof the FAULT_FLAG_RETRY_NOWAIT logic, has no process memory left,\ncausing ttm_bo_vm_dummy_page() to return VM_FAULT_NOPAGE, since\nthere was nothing left to populate, and then oopses in\n\"mem_type_is_vram(tbo-\u003eresource-\u003emem_type)\" because tbo-\u003eresource\nis NULL.\n\nIt\u0027s convoluted, but fits the data and explains the oops after\nthe test exits."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:52:11.372Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/99428bd6123d5676209dfb1d7a8f176cc830b665"
        },
        {
          "url": "https://git.kernel.org/stable/c/29a3064f9c5a908aaf0b39cd6ed30374db11840d"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cda3c755bb7770be07d75949bb0f45fb88651f6"
        }
      ],
      "title": "drm/xe: Fix oops in xe_gem_fault when running core_hotunplug test.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40340",
    "datePublished": "2025-12-09T04:09:57.059Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-20T08:52:11.372Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68206 (GCVE-0-2025-68206)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2026-01-08 09:50

Title

netfilter: nft_ct: add seqadj extension for natted connections

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set "ftp_helper" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4ab2cd906e4e1a19d…
	https://git.kernel.org/stable/c/2b52d89cbbb0dbe3e…
	https://git.kernel.org/stable/c/90918e3b6404c2a37…

Impacted products

Vendor

Product

Version

Linux

Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 4ab2cd906e4e1a19ddbda6eb532851b0e9cda110 (git)
Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6 (git)
Affected: 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 , < 90918e3b6404c2a37837b8f11692471b4c512de2 (git)

Linux

Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_ct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4ab2cd906e4e1a19ddbda6eb532851b0e9cda110",
              "status": "affected",
              "version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
              "versionType": "git"
            },
            {
              "lessThan": "2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6",
              "status": "affected",
              "version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
              "versionType": "git"
            },
            {
              "lessThan": "90918e3b6404c2a37837b8f11692471b4c512de2",
              "status": "affected",
              "version": "1a64edf54f55d7956cf5a0d95898bc1f84f9b818",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_ct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: add seqadj extension for natted connections\n\nSequence adjustment may be required for FTP traffic with PASV/EPSV modes.\ndue to need to re-write packet payload (IP, port) on the ftp control\nconnection. This can require changes to the TCP length and expected\nseq / ack_seq.\n\nThe easiest way to reproduce this issue is with PASV mode.\nExample ruleset:\ntable inet ftp_nat {\n        ct helper ftp_helper {\n                type \"ftp\" protocol tcp\n                l3proto inet\n        }\n\n        chain prerouting {\n                type filter hook prerouting priority 0; policy accept;\n                tcp dport 21 ct state new ct helper set \"ftp_helper\"\n        }\n}\ntable ip nat {\n        chain prerouting {\n                type nat hook prerouting priority -100; policy accept;\n                tcp dport 21 dnat ip prefix to ip daddr map {\n\t\t\t192.168.100.1 : 192.168.13.2/32 }\n        }\n\n        chain postrouting {\n                type nat hook postrouting priority 100 ; policy accept;\n                tcp sport 21 snat ip prefix to ip saddr map {\n\t\t\t192.168.13.2 : 192.168.100.1/32 }\n        }\n}\n\nNote that the ftp helper gets assigned *after* the dnat setup.\n\nThe inverse (nat after helper assign) is handled by an existing\ncheck in nf_nat_setup_info() and will not show the problem.\n\nTopoloy:\n\n +-------------------+     +----------------------------------+\n | FTP: 192.168.13.2 | \u003c-\u003e | NAT: 192.168.13.3, 192.168.100.1 |\n +-------------------+     +----------------------------------+\n                                      |\n                         +-----------------------+\n                         | Client: 192.168.100.2 |\n                         +-----------------------+\n\nftp nat changes do not work as expected in this case:\nConnected to 192.168.100.1.\n[..]\nftp\u003e epsv\nEPSV/EPRT on IPv4 off.\nftp\u003e ls\n227 Entering passive mode (192,168,100,1,209,129).\n421 Service not available, remote server has closed connection.\n\nKernel logs:\nMissing nfct_seqadj_ext_add() setup call\nWARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41\n[..]\n __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]\n nf_nat_ftp+0x142/0x280 [nf_nat_ftp]\n help+0x4d1/0x880 [nf_conntrack_ftp]\n nf_confirm+0x122/0x2e0 [nf_conntrack]\n nf_hook_slow+0x3c/0xb0\n ..\n\nFix this by adding the required extension when a conntrack helper is assigned\nto a connection that has a nat binding."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-08T09:50:22.711Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4ab2cd906e4e1a19ddbda6eb532851b0e9cda110"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6"
        },
        {
          "url": "https://git.kernel.org/stable/c/90918e3b6404c2a37837b8f11692471b4c512de2"
        }
      ],
      "title": "netfilter: nft_ct: add seqadj extension for natted connections",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68206",
    "datePublished": "2025-12-16T13:48:33.763Z",
    "dateReserved": "2025-12-16T13:41:40.255Z",
    "dateUpdated": "2026-01-08T09:50:22.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68328 (GCVE-0-2025-68328)

Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:14

Title

firmware: stratix10-svc: fix bug in saving controller data

Summary

In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-svc: fix bug in saving controller data Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They both are of the same data and overrides each other. This resulted in the rmmod of the svc driver to fail and throw a kernel panic for kthread_stop and fifo free.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9d0a330abd9e49bce…
	https://git.kernel.org/stable/c/354fb03002da0970d…
	https://git.kernel.org/stable/c/b359df793f609b1ef…
	https://git.kernel.org/stable/c/71796c91ee8e33faf…
	https://git.kernel.org/stable/c/60ab1851614e60073…
	https://git.kernel.org/stable/c/bd226fa02ed6db6fc…
	https://git.kernel.org/stable/c/d0fcf70c680e4d166…

Impacted products

Vendor

Product

Version

Linux

Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 9d0a330abd9e49bcebf6307aac185081bde49a43 (git)
Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 354fb03002da0970d337f0d3edbeb46cc4fa6f41 (git)
Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < b359df793f609b1efce31dadfe6883ec73852619 (git)
Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 71796c91ee8e33faf4434a9e210b5063c28ea907 (git)
Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < 60ab1851614e6007344042b66da6e31d1cc26cb3 (git)
Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < bd226fa02ed6db6fce0fae010802f0950fd14fb9 (git)
Affected: b5dc75c915cdaebab9b9875022e45638d6b14a7e , < d0fcf70c680e4d1669fcb3a8632f41400b9a73c2 (git)

Linux

Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/stratix10-svc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9d0a330abd9e49bcebf6307aac185081bde49a43",
              "status": "affected",
              "version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
              "versionType": "git"
            },
            {
              "lessThan": "354fb03002da0970d337f0d3edbeb46cc4fa6f41",
              "status": "affected",
              "version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
              "versionType": "git"
            },
            {
              "lessThan": "b359df793f609b1efce31dadfe6883ec73852619",
              "status": "affected",
              "version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
              "versionType": "git"
            },
            {
              "lessThan": "71796c91ee8e33faf4434a9e210b5063c28ea907",
              "status": "affected",
              "version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
              "versionType": "git"
            },
            {
              "lessThan": "60ab1851614e6007344042b66da6e31d1cc26cb3",
              "status": "affected",
              "version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
              "versionType": "git"
            },
            {
              "lessThan": "bd226fa02ed6db6fce0fae010802f0950fd14fb9",
              "status": "affected",
              "version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
              "versionType": "git"
            },
            {
              "lessThan": "d0fcf70c680e4d1669fcb3a8632f41400b9a73c2",
              "status": "affected",
              "version": "b5dc75c915cdaebab9b9875022e45638d6b14a7e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/firmware/stratix10-svc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: stratix10-svc: fix bug in saving controller data\n\nFix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They\nboth are of the same data and overrides each other. This resulted in the\nrmmod of the svc driver to fail and throw a kernel panic for kthread_stop\nand fifo free."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-22T16:14:00.130Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9d0a330abd9e49bcebf6307aac185081bde49a43"
        },
        {
          "url": "https://git.kernel.org/stable/c/354fb03002da0970d337f0d3edbeb46cc4fa6f41"
        },
        {
          "url": "https://git.kernel.org/stable/c/b359df793f609b1efce31dadfe6883ec73852619"
        },
        {
          "url": "https://git.kernel.org/stable/c/71796c91ee8e33faf4434a9e210b5063c28ea907"
        },
        {
          "url": "https://git.kernel.org/stable/c/60ab1851614e6007344042b66da6e31d1cc26cb3"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd226fa02ed6db6fce0fae010802f0950fd14fb9"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0fcf70c680e4d1669fcb3a8632f41400b9a73c2"
        }
      ],
      "title": "firmware: stratix10-svc: fix bug in saving controller data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68328",
    "datePublished": "2025-12-22T16:12:22.218Z",
    "dateReserved": "2025-12-16T14:48:05.296Z",
    "dateUpdated": "2025-12-22T16:14:00.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50641 (GCVE-0-2022-50641)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00

Title

HSI: omap_ssi: Fix refcount leak in ssi_probe

Summary

In the Linux kernel, the following vulnerability has been resolved: HSI: omap_ssi: Fix refcount leak in ssi_probe When returning or breaking early from a for_each_available_child_of_node() loop, we need to explicitly call of_node_put() on the child node to possibly release the node.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/20fbaff6699ea5553…
	https://git.kernel.org/stable/c/18e199a5541aad6dc…
	https://git.kernel.org/stable/c/e8a218c17d7c5c42d…
	https://git.kernel.org/stable/c/aa9c0598b10960ad1…
	https://git.kernel.org/stable/c/962f22e7f7698f771…
	https://git.kernel.org/stable/c/691f23a8475f04c98…
	https://git.kernel.org/stable/c/e25f56f8bdf66126a…
	https://git.kernel.org/stable/c/0eff9ef67d91e350d…
	https://git.kernel.org/stable/c/9a2ea132df860177b…

Impacted products

Vendor

Product

Version

Linux

Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 20fbaff6699ea5553c67550e867d6f90b7085447 (git)
Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 18e199a5541aad6dc5cf51bc3f712247b2d17894 (git)
Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < e8a218c17d7c5c42d5609ef92d339b47f3d11d02 (git)
Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < aa9c0598b10960ad1198044da1e277a89b4e3af6 (git)
Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 962f22e7f7698f7718d95bd9b63e41fb8cca01a9 (git)
Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 691f23a8475f04c988f7e98066b084e996b40fa0 (git)
Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < e25f56f8bdf66126a54b5a88bc021c82bfb50b75 (git)
Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 0eff9ef67d91e350d2047c3e13b6c3b7d0c90bf4 (git)
Affected: b209e047bc743247f74ce79e8827ae1ed556bae0 , < 9a2ea132df860177b33c9fd421b26c4e9a0a9396 (git)

Linux

Affected: 3.16
Unaffected: 0 , < 3.16 (semver)
Unaffected: 4.9.331 , ≤ 4.9.* (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hsi/controllers/omap_ssi_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "20fbaff6699ea5553c67550e867d6f90b7085447",
              "status": "affected",
              "version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
              "versionType": "git"
            },
            {
              "lessThan": "18e199a5541aad6dc5cf51bc3f712247b2d17894",
              "status": "affected",
              "version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
              "versionType": "git"
            },
            {
              "lessThan": "e8a218c17d7c5c42d5609ef92d339b47f3d11d02",
              "status": "affected",
              "version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
              "versionType": "git"
            },
            {
              "lessThan": "aa9c0598b10960ad1198044da1e277a89b4e3af6",
              "status": "affected",
              "version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
              "versionType": "git"
            },
            {
              "lessThan": "962f22e7f7698f7718d95bd9b63e41fb8cca01a9",
              "status": "affected",
              "version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
              "versionType": "git"
            },
            {
              "lessThan": "691f23a8475f04c988f7e98066b084e996b40fa0",
              "status": "affected",
              "version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
              "versionType": "git"
            },
            {
              "lessThan": "e25f56f8bdf66126a54b5a88bc021c82bfb50b75",
              "status": "affected",
              "version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
              "versionType": "git"
            },
            {
              "lessThan": "0eff9ef67d91e350d2047c3e13b6c3b7d0c90bf4",
              "status": "affected",
              "version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
              "versionType": "git"
            },
            {
              "lessThan": "9a2ea132df860177b33c9fd421b26c4e9a0a9396",
              "status": "affected",
              "version": "b209e047bc743247f74ce79e8827ae1ed556bae0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hsi/controllers/omap_ssi_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.331",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.331",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: omap_ssi: Fix refcount leak in ssi_probe\n\nWhen returning or breaking early from a\nfor_each_available_child_of_node() loop, we need to explicitly call\nof_node_put() on the child node to possibly release the node."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T00:00:15.268Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/20fbaff6699ea5553c67550e867d6f90b7085447"
        },
        {
          "url": "https://git.kernel.org/stable/c/18e199a5541aad6dc5cf51bc3f712247b2d17894"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8a218c17d7c5c42d5609ef92d339b47f3d11d02"
        },
        {
          "url": "https://git.kernel.org/stable/c/aa9c0598b10960ad1198044da1e277a89b4e3af6"
        },
        {
          "url": "https://git.kernel.org/stable/c/962f22e7f7698f7718d95bd9b63e41fb8cca01a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/691f23a8475f04c988f7e98066b084e996b40fa0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e25f56f8bdf66126a54b5a88bc021c82bfb50b75"
        },
        {
          "url": "https://git.kernel.org/stable/c/0eff9ef67d91e350d2047c3e13b6c3b7d0c90bf4"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a2ea132df860177b33c9fd421b26c4e9a0a9396"
        }
      ],
      "title": "HSI: omap_ssi: Fix refcount leak in ssi_probe",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50641",
    "datePublished": "2025-12-09T00:00:15.268Z",
    "dateReserved": "2025-12-08T23:57:43.370Z",
    "dateUpdated": "2025-12-09T00:00:15.268Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68192 (GCVE-0-2025-68192)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2025-12-16 13:43

Title

net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup

Summary

In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d693c47fb902b988f…
	https://git.kernel.org/stable/c/0aabccdcec1f4a36f…
	https://git.kernel.org/stable/c/4e6b9004f01d0fef5…
	https://git.kernel.org/stable/c/bf527b80b80a282ab…
	https://git.kernel.org/stable/c/dd03780c29f87c26c…
	https://git.kernel.org/stable/c/ae811175cea35b03a…
	https://git.kernel.org/stable/c/8ab3b8f958d861a7f…
	https://git.kernel.org/stable/c/e120f46768d98151e…

Impacted products

Vendor

Product

Version

Linux

Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < d693c47fb902b988f5752182e4f7fbde5e6dcaf9 (git)
Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < 0aabccdcec1f4a36f95829ea2263f845bbc77223 (git)
Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < 4e6b9004f01d0fef5b19778399bc5bf55f8c2d71 (git)
Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < bf527b80b80a282ab5bf1540546211fc35e5cd42 (git)
Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < dd03780c29f87c26c0e0bb7e0db528c8109461fb (git)
Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < ae811175cea35b03ac6d7c910f43a82a43b9c3b3 (git)
Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < 8ab3b8f958d861a7f725a5be60769106509fbd69 (git)
Affected: c6adf77953bcec0ad63d7782479452464e50f7a3 , < e120f46768d98151ece8756ebd688b0e43dc8b29 (git)

Linux

Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/qmi_wwan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d693c47fb902b988f5752182e4f7fbde5e6dcaf9",
              "status": "affected",
              "version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
              "versionType": "git"
            },
            {
              "lessThan": "0aabccdcec1f4a36f95829ea2263f845bbc77223",
              "status": "affected",
              "version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
              "versionType": "git"
            },
            {
              "lessThan": "4e6b9004f01d0fef5b19778399bc5bf55f8c2d71",
              "status": "affected",
              "version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
              "versionType": "git"
            },
            {
              "lessThan": "bf527b80b80a282ab5bf1540546211fc35e5cd42",
              "status": "affected",
              "version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
              "versionType": "git"
            },
            {
              "lessThan": "dd03780c29f87c26c0e0bb7e0db528c8109461fb",
              "status": "affected",
              "version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
              "versionType": "git"
            },
            {
              "lessThan": "ae811175cea35b03ac6d7c910f43a82a43b9c3b3",
              "status": "affected",
              "version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
              "versionType": "git"
            },
            {
              "lessThan": "8ab3b8f958d861a7f725a5be60769106509fbd69",
              "status": "affected",
              "version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
              "versionType": "git"
            },
            {
              "lessThan": "e120f46768d98151ece8756ebd688b0e43dc8b29",
              "status": "affected",
              "version": "c6adf77953bcec0ad63d7782479452464e50f7a3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/qmi_wwan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup\n\nRaw IP packets have no MAC header, leaving skb-\u003emac_header uninitialized.\nThis can trigger kernel panics on ARM64 when xfrm or other subsystems\naccess the offset due to strict alignment checks.\n\nInitialize the MAC header to prevent such crashes.\n\nThis can trigger kernel panics on ARM when running IPsec over the\nqmimux0 interface.\n\nExample trace:\n\n    Internal error: Oops: 000000009600004f [#1] SMP\n    CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1\n    Hardware name: LS1028A RDB Board (DT)\n    pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n    pc : xfrm_input+0xde8/0x1318\n    lr : xfrm_input+0x61c/0x1318\n    sp : ffff800080003b20\n    Call trace:\n     xfrm_input+0xde8/0x1318\n     xfrm6_rcv+0x38/0x44\n     xfrm6_esp_rcv+0x48/0xa8\n     ip6_protocol_deliver_rcu+0x94/0x4b0\n     ip6_input_finish+0x44/0x70\n     ip6_input+0x44/0xc0\n     ipv6_rcv+0x6c/0x114\n     __netif_receive_skb_one_core+0x5c/0x8c\n     __netif_receive_skb+0x18/0x60\n     process_backlog+0x78/0x17c\n     __napi_poll+0x38/0x180\n     net_rx_action+0x168/0x2f0"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:43:18.858Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d693c47fb902b988f5752182e4f7fbde5e6dcaf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/0aabccdcec1f4a36f95829ea2263f845bbc77223"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e6b9004f01d0fef5b19778399bc5bf55f8c2d71"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf527b80b80a282ab5bf1540546211fc35e5cd42"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd03780c29f87c26c0e0bb7e0db528c8109461fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae811175cea35b03ac6d7c910f43a82a43b9c3b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ab3b8f958d861a7f725a5be60769106509fbd69"
        },
        {
          "url": "https://git.kernel.org/stable/c/e120f46768d98151ece8756ebd688b0e43dc8b29"
        }
      ],
      "title": "net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68192",
    "datePublished": "2025-12-16T13:43:18.858Z",
    "dateReserved": "2025-12-16T13:41:40.253Z",
    "dateUpdated": "2025-12-16T13:43:18.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50282 (GCVE-0-2022-50282)

Vulnerability from cvelistv5 – Published: 2025-09-15 14:21 – Updated: 2025-09-15 14:21

Title

chardev: fix error handling in cdev_device_add()

Summary

In the Linux kernel, the following vulnerability has been resolved: chardev: fix error handling in cdev_device_add() While doing fault injection test, I got the following report: ------------[ cut here ]------------ kobject: '(null)' (0000000039956980): is not initialized, yet kobject_put() is being called. WARNING: CPU: 3 PID: 6306 at kobject_put+0x23d/0x4e0 CPU: 3 PID: 6306 Comm: 283 Tainted: G W 6.1.0-rc2-00005-g307c1086d7c9 #1253 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kobject_put+0x23d/0x4e0 Call Trace: <TASK> cdev_device_add+0x15e/0x1b0 __iio_device_register+0x13b4/0x1af0 [industrialio] __devm_iio_device_register+0x22/0x90 [industrialio] max517_probe+0x3d8/0x6b4 [max517] i2c_device_probe+0xa81/0xc00 When device_add() is injected fault and returns error, if dev->devt is not set, cdev_add() is not called, cdev_del() is not needed. Fix this by checking dev->devt in error path.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5d2146889fad4cb9e…
	https://git.kernel.org/stable/c/6acf8597c5b04f455…
	https://git.kernel.org/stable/c/34d17b39bceef25e4…
	https://git.kernel.org/stable/c/d85b5247a79355b84…
	https://git.kernel.org/stable/c/c46db6088bccff511…
	https://git.kernel.org/stable/c/28dc61cc49c6e9951…
	https://git.kernel.org/stable/c/b5de1eac71fec1af7…
	https://git.kernel.org/stable/c/85a5660491b507d33…
	https://git.kernel.org/stable/c/11fa7fefe3d8fac7d…

Impacted products

Vendor

Product

Version

Linux

Affected: da97a80a657d1b1b50ef633e8ff5dbf0d417fc8d , < 5d2146889fad4cb9e6c13e790d4cfd871486eca8 (git)
Affected: 233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0 , < 6acf8597c5b04f455ee0649e11e5f3bcd28f381e (git)
Affected: 233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0 , < 34d17b39bceef25e4cf9805cd59250ae05d0a139 (git)
Affected: 233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0 , < d85b5247a79355b8432bfd9ac871f96117f750d4 (git)
Affected: 233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0 , < c46db6088bccff5115674d583fef46ede80077a2 (git)
Affected: 233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0 , < 28dc61cc49c6e995121c6d86bef4b73df78dda80 (git)
Affected: 233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0 , < b5de1eac71fec1af7723f1083d23a24789fd795c (git)
Affected: 233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0 , < 85a5660491b507d33662b8e81c142e6041e642eb (git)
Affected: 233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0 , < 11fa7fefe3d8fac7da56bc9aa3dd5fb3081ca797 (git)
Affected: f78b54e7d83c7879f9a6e49e6724019ca34177cc (git)
Affected: d79d7d5c878809964da537336dad5ff55fa1605e (git)

Linux

Affected: 4.12
Unaffected: 0 , < 4.12 (semver)
Unaffected: 4.9.337 , ≤ 4.9.* (semver)
Unaffected: 4.14.303 , ≤ 4.14.* (semver)
Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.86 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/char_dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5d2146889fad4cb9e6c13e790d4cfd871486eca8",
              "status": "affected",
              "version": "da97a80a657d1b1b50ef633e8ff5dbf0d417fc8d",
              "versionType": "git"
            },
            {
              "lessThan": "6acf8597c5b04f455ee0649e11e5f3bcd28f381e",
              "status": "affected",
              "version": "233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0",
              "versionType": "git"
            },
            {
              "lessThan": "34d17b39bceef25e4cf9805cd59250ae05d0a139",
              "status": "affected",
              "version": "233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0",
              "versionType": "git"
            },
            {
              "lessThan": "d85b5247a79355b8432bfd9ac871f96117f750d4",
              "status": "affected",
              "version": "233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0",
              "versionType": "git"
            },
            {
              "lessThan": "c46db6088bccff5115674d583fef46ede80077a2",
              "status": "affected",
              "version": "233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0",
              "versionType": "git"
            },
            {
              "lessThan": "28dc61cc49c6e995121c6d86bef4b73df78dda80",
              "status": "affected",
              "version": "233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0",
              "versionType": "git"
            },
            {
              "lessThan": "b5de1eac71fec1af7723f1083d23a24789fd795c",
              "status": "affected",
              "version": "233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0",
              "versionType": "git"
            },
            {
              "lessThan": "85a5660491b507d33662b8e81c142e6041e642eb",
              "status": "affected",
              "version": "233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0",
              "versionType": "git"
            },
            {
              "lessThan": "11fa7fefe3d8fac7da56bc9aa3dd5fb3081ca797",
              "status": "affected",
              "version": "233ed09d7fdacf592ee91e6c97ce5f4364fbe7c0",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f78b54e7d83c7879f9a6e49e6724019ca34177cc",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d79d7d5c878809964da537336dad5ff55fa1605e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/char_dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.337",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.303",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.337",
                  "versionStartIncluding": "4.9.224",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.303",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.86",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.83",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.224",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nchardev: fix error handling in cdev_device_add()\n\nWhile doing fault injection test, I got the following report:\n\n------------[ cut here ]------------\nkobject: \u0027(null)\u0027 (0000000039956980): is not initialized, yet kobject_put() is being called.\nWARNING: CPU: 3 PID: 6306 at kobject_put+0x23d/0x4e0\nCPU: 3 PID: 6306 Comm: 283 Tainted: G        W          6.1.0-rc2-00005-g307c1086d7c9 #1253\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nRIP: 0010:kobject_put+0x23d/0x4e0\nCall Trace:\n \u003cTASK\u003e\n cdev_device_add+0x15e/0x1b0\n __iio_device_register+0x13b4/0x1af0 [industrialio]\n __devm_iio_device_register+0x22/0x90 [industrialio]\n max517_probe+0x3d8/0x6b4 [max517]\n i2c_device_probe+0xa81/0xc00\n\nWhen device_add() is injected fault and returns error, if dev-\u003edevt is not set,\ncdev_add() is not called, cdev_del() is not needed. Fix this by checking dev-\u003edevt\nin error path."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-15T14:21:18.658Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5d2146889fad4cb9e6c13e790d4cfd871486eca8"
        },
        {
          "url": "https://git.kernel.org/stable/c/6acf8597c5b04f455ee0649e11e5f3bcd28f381e"
        },
        {
          "url": "https://git.kernel.org/stable/c/34d17b39bceef25e4cf9805cd59250ae05d0a139"
        },
        {
          "url": "https://git.kernel.org/stable/c/d85b5247a79355b8432bfd9ac871f96117f750d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c46db6088bccff5115674d583fef46ede80077a2"
        },
        {
          "url": "https://git.kernel.org/stable/c/28dc61cc49c6e995121c6d86bef4b73df78dda80"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5de1eac71fec1af7723f1083d23a24789fd795c"
        },
        {
          "url": "https://git.kernel.org/stable/c/85a5660491b507d33662b8e81c142e6041e642eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/11fa7fefe3d8fac7da56bc9aa3dd5fb3081ca797"
        }
      ],
      "title": "chardev: fix error handling in cdev_device_add()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50282",
    "datePublished": "2025-09-15T14:21:18.658Z",
    "dateReserved": "2025-09-15T13:58:00.976Z",
    "dateUpdated": "2025-09-15T14:21:18.658Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40225 (GCVE-0-2025-40225)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31

Title

drm/panthor: Fix kernel panic on partial unmap of a GPU VA region

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix kernel panic on partial unmap of a GPU VA region This commit address a kernel panic issue that can happen if Userspace tries to partially unmap a GPU virtual region (aka drm_gpuva). The VM_BIND interface allows partial unmapping of a BO. Panthor driver pre-allocates memory for the new drm_gpuva structures that would be needed for the map/unmap operation, done using drm_gpuvm layer. It expected that only one new drm_gpuva would be needed on umap but a partial unmap can require 2 new drm_gpuva and that's why it ended up doing a NULL pointer dereference causing a kernel panic. Following dump was seen when partial unmap was exercised. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078 Mem abort info: ESR = 0x0000000096000046 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000 [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000 Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP <snip> pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor] sp : ffff800085d43970 x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000 x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000 x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010 x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58 x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7 x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001 x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078 Call trace: panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor] op_remap_cb.isra.22+0x50/0x80 __drm_gpuvm_sm_unmap+0x10c/0x1c8 drm_gpuvm_sm_unmap+0x40/0x60 panthor_vm_exec_op+0xb4/0x3d0 [panthor] panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor] panthor_ioctl_vm_bind+0x160/0x4a0 [panthor] drm_ioctl_kernel+0xbc/0x138 drm_ioctl+0x240/0x500 __arm64_sys_ioctl+0xb0/0xf8 invoke_syscall+0x4c/0x110 el0_svc_common.constprop.1+0x98/0xf8 do_el0_svc+0x24/0x38 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xc8 el0t_64_sync+0x174/0x178

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/efe6dced3512066eb…
	https://git.kernel.org/stable/c/e9c19d19dd7e08db8…
	https://git.kernel.org/stable/c/4eabd0d8791eaf9a7…

Impacted products

Vendor

Product

Version

Linux

Affected: 647810ec247641eb5aec8caef818919a4518a0b1 , < efe6dced3512066ebee2cf7c4c38d1c99625814e (git)
Affected: 647810ec247641eb5aec8caef818919a4518a0b1 , < e9c19d19dd7e08db89cead5b0337c18590dc6645 (git)
Affected: 647810ec247641eb5aec8caef818919a4518a0b1 , < 4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panthor/panthor_mmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "efe6dced3512066ebee2cf7c4c38d1c99625814e",
              "status": "affected",
              "version": "647810ec247641eb5aec8caef818919a4518a0b1",
              "versionType": "git"
            },
            {
              "lessThan": "e9c19d19dd7e08db89cead5b0337c18590dc6645",
              "status": "affected",
              "version": "647810ec247641eb5aec8caef818919a4518a0b1",
              "versionType": "git"
            },
            {
              "lessThan": "4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f",
              "status": "affected",
              "version": "647810ec247641eb5aec8caef818919a4518a0b1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panthor/panthor_mmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix kernel panic on partial unmap of a GPU VA region\n\nThis commit address a kernel panic issue that can happen if Userspace\ntries to partially unmap a GPU virtual region (aka drm_gpuva).\nThe VM_BIND interface allows partial unmapping of a BO.\n\nPanthor driver pre-allocates memory for the new drm_gpuva structures\nthat would be needed for the map/unmap operation, done using drm_gpuvm\nlayer. It expected that only one new drm_gpuva would be needed on umap\nbut a partial unmap can require 2 new drm_gpuva and that\u0027s why it\nended up doing a NULL pointer dereference causing a kernel panic.\n\nFollowing dump was seen when partial unmap was exercised.\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000078\n Mem abort info:\n   ESR = 0x0000000096000046\n   EC = 0x25: DABT (current EL), IL = 32 bits\n   SET = 0, FnV = 0\n   EA = 0, S1PTW = 0\n   FSC = 0x06: level 2 translation fault\n Data abort info:\n   ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000\n   CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp=000000088a863000\n [000000000000078] pgd=080000088a842003, p4d=080000088a842003, pud=0800000884bf5003, pmd=0000000000000000\n Internal error: Oops: 0000000096000046 [#1] PREEMPT SMP\n \u003csnip\u003e\n pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]\n lr : panthor_gpuva_sm_step_remap+0x6c/0x330 [panthor]\n sp : ffff800085d43970\n x29: ffff800085d43970 x28: ffff00080363e440 x27: ffff0008090c6000\n x26: 0000000000000030 x25: ffff800085d439f8 x24: ffff00080d402000\n x23: ffff800085d43b60 x22: ffff800085d439e0 x21: ffff00080abdb180\n x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000010\n x17: 6e656c202c303030 x16: 3666666666646466 x15: 393d61766f69202c\n x14: 312d3d7361203a70 x13: 303030323d6e656c x12: ffff80008324bf58\n x11: 0000000000000003 x10: 0000000000000002 x9 : ffff8000801a6a9c\n x8 : ffff00080360b300 x7 : 0000000000000000 x6 : 000000088aa35fc7\n x5 : fff1000080000000 x4 : ffff8000842ddd30 x3 : 0000000000000001\n x2 : 0000000100000000 x1 : 0000000000000001 x0 : 0000000000000078\n Call trace:\n  panthor_gpuva_sm_step_remap+0xe4/0x330 [panthor]\n  op_remap_cb.isra.22+0x50/0x80\n  __drm_gpuvm_sm_unmap+0x10c/0x1c8\n  drm_gpuvm_sm_unmap+0x40/0x60\n  panthor_vm_exec_op+0xb4/0x3d0 [panthor]\n  panthor_vm_bind_exec_sync_op+0x154/0x278 [panthor]\n  panthor_ioctl_vm_bind+0x160/0x4a0 [panthor]\n  drm_ioctl_kernel+0xbc/0x138\n  drm_ioctl+0x240/0x500\n  __arm64_sys_ioctl+0xb0/0xf8\n  invoke_syscall+0x4c/0x110\n  el0_svc_common.constprop.1+0x98/0xf8\n  do_el0_svc+0x24/0x38\n  el0_svc+0x40/0xf8\n  el0t_64_sync_handler+0xa0/0xc8\n  el0t_64_sync+0x174/0x178"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T15:31:17.057Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/efe6dced3512066ebee2cf7c4c38d1c99625814e"
        },
        {
          "url": "https://git.kernel.org/stable/c/e9c19d19dd7e08db89cead5b0337c18590dc6645"
        },
        {
          "url": "https://git.kernel.org/stable/c/4eabd0d8791eaf9a7b114ccbf56eb488aefe7b1f"
        }
      ],
      "title": "drm/panthor: Fix kernel panic on partial unmap of a GPU VA region",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40225",
    "datePublished": "2025-12-04T15:31:17.057Z",
    "dateReserved": "2025-04-16T07:20:57.180Z",
    "dateUpdated": "2025-12-04T15:31:17.057Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68201 (GCVE-0-2025-68201)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2026-01-02 15:34

Title

drm/amdgpu: remove two invalid BUG_ON()s

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/eaf12bffd7f79f4d4…
	https://git.kernel.org/stable/c/a41bdba05899c7f45…
	https://git.kernel.org/stable/c/5d55ed19d4190d2c2…

Impacted products

Vendor

Product

Version

Linux

Affected: 3d879e81f0f9ed5d33b5eda0fe5226c884bb8073 , < eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd (git)
Affected: 3d879e81f0f9ed5d33b5eda0fe5226c884bb8073 , < a41bdba05899c7f455cd960ef0713acc335370dc (git)
Affected: 3d879e81f0f9ed5d33b5eda0fe5226c884bb8073 , < 5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5 (git)

Linux

Affected: 5.19
Unaffected: 0 , < 5.19 (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c",
            "drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd",
              "status": "affected",
              "version": "3d879e81f0f9ed5d33b5eda0fe5226c884bb8073",
              "versionType": "git"
            },
            {
              "lessThan": "a41bdba05899c7f455cd960ef0713acc335370dc",
              "status": "affected",
              "version": "3d879e81f0f9ed5d33b5eda0fe5226c884bb8073",
              "versionType": "git"
            },
            {
              "lessThan": "5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5",
              "status": "affected",
              "version": "3d879e81f0f9ed5d33b5eda0fe5226c884bb8073",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c",
            "drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.19"
            },
            {
              "lessThan": "5.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: remove two invalid BUG_ON()s\n\nThose can be triggered trivially by userspace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:24.423Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/eaf12bffd7f79f4d46ec028706f9d1a2d90f46fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/a41bdba05899c7f455cd960ef0713acc335370dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d55ed19d4190d2c210ac05ac7a53f800a8c6fe5"
        }
      ],
      "title": "drm/amdgpu: remove two invalid BUG_ON()s",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68201",
    "datePublished": "2025-12-16T13:48:29.708Z",
    "dateReserved": "2025-12-16T13:41:40.254Z",
    "dateUpdated": "2026-01-02T15:34:24.423Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68190 (GCVE-0-2025-68190)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2026-01-02 15:34

Title

drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/35f3fb86bb0158a29…
	https://git.kernel.org/stable/c/997e28d3d00a1d306…
	https://git.kernel.org/stable/c/cc9a8e238e42c1f43…

Impacted products

Vendor

Product

Version

Linux

Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 35f3fb86bb0158a298d6834e7e110dcaf07f490c (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < 997e28d3d00a1d30649629515e4402612921205b (git)
Affected: d38ceaf99ed015f2a0b9af3499791bd3a3daae21 , < cc9a8e238e42c1f43b98c097995137d644b69245 (git)

Linux

Affected: 4.2
Unaffected: 0 , < 4.2 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/atom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "35f3fb86bb0158a298d6834e7e110dcaf07f490c",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "997e28d3d00a1d30649629515e4402612921205b",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            },
            {
              "lessThan": "cc9a8e238e42c1f43b98c097995137d644b69245",
              "status": "affected",
              "version": "d38ceaf99ed015f2a0b9af3499791bd3a3daae21",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/atom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.2"
            },
            {
              "lessThan": "4.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()\n\nkcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws\nremains NULL while ectx.ws_size is set, leading to a potential NULL\npointer dereference in atom_get_src_int() when accessing WS entries.\n\nReturn -ENOMEM on allocation failure to avoid the NULL dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:18.560Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/35f3fb86bb0158a298d6834e7e110dcaf07f490c"
        },
        {
          "url": "https://git.kernel.org/stable/c/997e28d3d00a1d30649629515e4402612921205b"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc9a8e238e42c1f43b98c097995137d644b69245"
        }
      ],
      "title": "drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68190",
    "datePublished": "2025-12-16T13:43:12.297Z",
    "dateReserved": "2025-12-16T13:41:40.253Z",
    "dateUpdated": "2026-01-02T15:34:18.560Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40347 (GCVE-0-2025-40347)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-16 13:30

Title

net: enetc: fix the deadlock of enetc_mdio_lock

Summary

In the Linux kernel, the following vulnerability has been resolved: net: enetc: fix the deadlock of enetc_mdio_lock After applying the workaround for err050089, the LS1028A platform experiences RCU stalls on RT kernel. This issue is caused by the recursive acquisition of the read lock enetc_mdio_lock. Here list some of the call stacks identified under the enetc_poll path that may lead to a deadlock: enetc_poll -> enetc_lock_mdio -> enetc_clean_rx_ring OR napi_complete_done -> napi_gro_receive -> enetc_start_xmit -> enetc_lock_mdio -> enetc_map_tx_buffs -> enetc_unlock_mdio -> enetc_unlock_mdio After enetc_poll acquires the read lock, a higher-priority writer attempts to acquire the lock, causing preemption. The writer detects that a read lock is already held and is scheduled out. However, readers under enetc_poll cannot acquire the read lock again because a writer is already waiting, leading to a thread hang. Currently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent recursive lock acquisition.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2781ca82ce8cad263…
	https://git.kernel.org/stable/c/1f92f5bd057a4fad9…
	https://git.kernel.org/stable/c/2e55a49dc3b2a6b23…
	https://git.kernel.org/stable/c/50bd33f6b3922a6b7…

Impacted products

Vendor

Product

Version

Linux

Affected: 6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 2781ca82ce8cad263d80b617addb727e6a84c9e5 (git)
Affected: 6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 1f92f5bd057a4fad9dab6af17963cdd21e5da6ed (git)
Affected: 6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa (git)
Affected: 6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3 , < 50bd33f6b3922a6b760aa30d409cae891cec8fb5 (git)
Affected: bf9c564716a13dde6a990d3b02c27cd6e39608bf (git)
Affected: ff966263f5f9fdf9740f03fed0762ce73c230a6a (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/freescale/enetc/enetc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2781ca82ce8cad263d80b617addb727e6a84c9e5",
              "status": "affected",
              "version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
              "versionType": "git"
            },
            {
              "lessThan": "1f92f5bd057a4fad9dab6af17963cdd21e5da6ed",
              "status": "affected",
              "version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
              "versionType": "git"
            },
            {
              "lessThan": "2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa",
              "status": "affected",
              "version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
              "versionType": "git"
            },
            {
              "lessThan": "50bd33f6b3922a6b760aa30d409cae891cec8fb5",
              "status": "affected",
              "version": "6d36ecdbc4410e61a0e02adc5d3abeee22a8ffd3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bf9c564716a13dde6a990d3b02c27cd6e39608bf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ff966263f5f9fdf9740f03fed0762ce73c230a6a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/freescale/enetc/enetc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.24",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.11.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: fix the deadlock of enetc_mdio_lock\n\nAfter applying the workaround for err050089, the LS1028A platform\nexperiences RCU stalls on RT kernel. This issue is caused by the\nrecursive acquisition of the read lock enetc_mdio_lock. Here list some\nof the call stacks identified under the enetc_poll path that may lead to\na deadlock:\n\nenetc_poll\n  -\u003e enetc_lock_mdio\n  -\u003e enetc_clean_rx_ring OR napi_complete_done\n     -\u003e napi_gro_receive\n        -\u003e enetc_start_xmit\n           -\u003e enetc_lock_mdio\n           -\u003e enetc_map_tx_buffs\n           -\u003e enetc_unlock_mdio\n  -\u003e enetc_unlock_mdio\n\nAfter enetc_poll acquires the read lock, a higher-priority writer attempts\nto acquire the lock, causing preemption. The writer detects that a\nread lock is already held and is scheduled out. However, readers under\nenetc_poll cannot acquire the read lock again because a writer is already\nwaiting, leading to a thread hang.\n\nCurrently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent\nrecursive lock acquisition."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:30:21.539Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2781ca82ce8cad263d80b617addb727e6a84c9e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f92f5bd057a4fad9dab6af17963cdd21e5da6ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e55a49dc3b2a6b23329e4fbbd8a5feb20e220aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/50bd33f6b3922a6b760aa30d409cae891cec8fb5"
        }
      ],
      "title": "net: enetc: fix the deadlock of enetc_mdio_lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40347",
    "datePublished": "2025-12-16T13:30:21.539Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-16T13:30:21.539Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40354 (GCVE-0-2025-40354)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-20 08:52

Title

drm/amd/display: increase max link count and fix link->enc NULL pointer access

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: increase max link count and fix link->enc NULL pointer access [why] 1.) dc->links[MAX_LINKS] array size smaller than actual requested. max_connector + max_dpia + 4 virtual = 14. increase from 12 to 14. 2.) hw_init() access null LINK_ENC for dpia non display_endpoint. (cherry picked from commit d7f5a61e1b04ed87b008c8d327649d184dc5bb45)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f28092be4e12b7df9…
	https://git.kernel.org/stable/c/a3fc0d36cfb927f89…
	https://git.kernel.org/stable/c/bec947cbe9a65783a…

Impacted products

Vendor

Product

Version

Linux

Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < f28092be4e12b7df9e4f415d25bf0d767bc2d9ed (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < a3fc0d36cfb927f8986b83bf5fba47dbedad3c63 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < bec947cbe9a65783adb475a5fb47980d7b4f4796 (git)

Linux

Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c",
            "drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f28092be4e12b7df9e4f415d25bf0d767bc2d9ed",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "a3fc0d36cfb927f8986b83bf5fba47dbedad3c63",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "bec947cbe9a65783adb475a5fb47980d7b4f4796",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c",
            "drivers/gpu/drm/amd/display/dc/inc/hw/hw_shared.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: increase max link count and fix link-\u003eenc NULL pointer access\n\n[why]\n1.) dc-\u003elinks[MAX_LINKS] array size smaller than actual requested.\nmax_connector + max_dpia + 4 virtual = 14.\nincrease from 12 to 14.\n\n2.) hw_init() access null LINK_ENC for dpia non display_endpoint.\n\n(cherry picked from commit d7f5a61e1b04ed87b008c8d327649d184dc5bb45)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:52:14.892Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f28092be4e12b7df9e4f415d25bf0d767bc2d9ed"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3fc0d36cfb927f8986b83bf5fba47dbedad3c63"
        },
        {
          "url": "https://git.kernel.org/stable/c/bec947cbe9a65783adb475a5fb47980d7b4f4796"
        }
      ],
      "title": "drm/amd/display: increase max link count and fix link-\u003eenc NULL pointer access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40354",
    "datePublished": "2025-12-16T13:30:27.082Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-20T08:52:14.892Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40343 (GCVE-0-2025-40343)

Vulnerability from cvelistv5 – Published: 2025-12-09 04:10 – Updated: 2025-12-20 08:52

Title

nvmet-fc: avoid scheduling association deletion twice

Summary

In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2f4852db87e25d4e2…
	https://git.kernel.org/stable/c/85e2ce1920cb511d5…
	https://git.kernel.org/stable/c/601ed47b2363c24d9…
	https://git.kernel.org/stable/c/04d17540ef51e2c29…
	https://git.kernel.org/stable/c/c09ac9a63fc3aaf46…
	https://git.kernel.org/stable/c/f2537be4f8421f649…

Impacted products

Vendor

Product

Version

Linux

Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 2f4852db87e25d4e226b25cb6f652fef9504360e (git)
Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 85e2ce1920cb511d57aae59f0df6ff85b28bf04d (git)
Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 601ed47b2363c24d948d7bac0c23abc8bd459570 (git)
Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < 04d17540ef51e2c291eb863ca87fd332259b2d40 (git)
Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < c09ac9a63fc3aaf4670ad7b5e4f5afd764424154 (git)
Affected: a07b4970f464f13640e28e16dad6cfa33647cc99 , < f2537be4f8421f6495edfa0bc284d722f253841d (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/fc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2f4852db87e25d4e226b25cb6f652fef9504360e",
              "status": "affected",
              "version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
              "versionType": "git"
            },
            {
              "lessThan": "85e2ce1920cb511d57aae59f0df6ff85b28bf04d",
              "status": "affected",
              "version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
              "versionType": "git"
            },
            {
              "lessThan": "601ed47b2363c24d948d7bac0c23abc8bd459570",
              "status": "affected",
              "version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
              "versionType": "git"
            },
            {
              "lessThan": "04d17540ef51e2c291eb863ca87fd332259b2d40",
              "status": "affected",
              "version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
              "versionType": "git"
            },
            {
              "lessThan": "c09ac9a63fc3aaf4670ad7b5e4f5afd764424154",
              "status": "affected",
              "version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
              "versionType": "git"
            },
            {
              "lessThan": "f2537be4f8421f6495edfa0bc284d722f253841d",
              "status": "affected",
              "version": "a07b4970f464f13640e28e16dad6cfa33647cc99",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/fc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid scheduling association deletion twice\n\nWhen forcefully shutting down a port via the configfs interface,\nnvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and\nthen nvmet_disable_port(). Both functions will eventually schedule all\nremaining associations for deletion.\n\nThe current implementation checks whether an association is about to be\nremoved, but only after the work item has already been scheduled. As a\nresult, it is possible for the first scheduled work item to free all\nresources, and then for the same work item to be scheduled again for\ndeletion.\n\nBecause the association list is an RCU list, it is not possible to take\na lock and remove the list entry directly, so it cannot be looked up\nagain. Instead, a flag (terminating) must be used to determine whether\nthe association is already in the process of being deleted."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:52:13.716Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2f4852db87e25d4e226b25cb6f652fef9504360e"
        },
        {
          "url": "https://git.kernel.org/stable/c/85e2ce1920cb511d57aae59f0df6ff85b28bf04d"
        },
        {
          "url": "https://git.kernel.org/stable/c/601ed47b2363c24d948d7bac0c23abc8bd459570"
        },
        {
          "url": "https://git.kernel.org/stable/c/04d17540ef51e2c291eb863ca87fd332259b2d40"
        },
        {
          "url": "https://git.kernel.org/stable/c/c09ac9a63fc3aaf4670ad7b5e4f5afd764424154"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2537be4f8421f6495edfa0bc284d722f253841d"
        }
      ],
      "title": "nvmet-fc: avoid scheduling association deletion twice",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40343",
    "datePublished": "2025-12-09T04:10:00.973Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-20T08:52:13.716Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68742 (GCVE-0-2025-68742)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-01-11 16:30

Title

bpf: Fix invalid prog->stats access when update_effective_progs fails

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix invalid prog->stats access when update_effective_progs fails Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows: __cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog ---softirq start--- __do_softirq ... __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp) ---softirq end--- static_branch_dec(&cgroup_bpf_enabled_key[atype]) The reason is that fault injection caused update_effective_progs to fail and then changed the original prog into dummy_bpf_prog.prog in purge_effective_progs. Then a softirq came, and accessing the members of dummy_bpf_prog.prog in the softirq triggers invalid mem access. To fix it, skip updating stats when stats is NULL.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/93d1964773ff513c9…
	https://git.kernel.org/stable/c/bf2c990b012100610…
	https://git.kernel.org/stable/c/539137e3038ce6f95…
	https://git.kernel.org/stable/c/56905bb70c8b88421…
	https://git.kernel.org/stable/c/2579c356ccd35d062…
	https://git.kernel.org/stable/c/7dc211c1159d991db…

Impacted products

Vendor

Product

Version

Linux

Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 93d1964773ff513c9bd530f7686d3e48b786fa6b (git)
Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < bf2c990b012100610c0f1ec5c4ea434da2d080c2 (git)
Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 539137e3038ce6f953efd72110110f03c14c7d97 (git)
Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 56905bb70c8b88421709bb4e32fcba617aa37d41 (git)
Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 2579c356ccd35d06238b176e4b460978186d804b (git)
Affected: 492ecee892c2a4ba6a14903d5d586ff750b7e805 , < 7dc211c1159d991db609bdf4b0fb9033c04adcbc (git)

Linux

Affected: 5.1
Unaffected: 0 , < 5.1 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/filter.h",
            "kernel/bpf/syscall.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "93d1964773ff513c9bd530f7686d3e48b786fa6b",
              "status": "affected",
              "version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
              "versionType": "git"
            },
            {
              "lessThan": "bf2c990b012100610c0f1ec5c4ea434da2d080c2",
              "status": "affected",
              "version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
              "versionType": "git"
            },
            {
              "lessThan": "539137e3038ce6f953efd72110110f03c14c7d97",
              "status": "affected",
              "version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
              "versionType": "git"
            },
            {
              "lessThan": "56905bb70c8b88421709bb4e32fcba617aa37d41",
              "status": "affected",
              "version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
              "versionType": "git"
            },
            {
              "lessThan": "2579c356ccd35d06238b176e4b460978186d804b",
              "status": "affected",
              "version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
              "versionType": "git"
            },
            {
              "lessThan": "7dc211c1159d991db609bdf4b0fb9033c04adcbc",
              "status": "affected",
              "version": "492ecee892c2a4ba6a14903d5d586ff750b7e805",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/filter.h",
            "kernel/bpf/syscall.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix invalid prog-\u003estats access when update_effective_progs fails\n\nSyzkaller triggers an invalid memory access issue following fault\ninjection in update_effective_progs. The issue can be described as\nfollows:\n\n__cgroup_bpf_detach\n  update_effective_progs\n    compute_effective_progs\n      bpf_prog_array_alloc \u003c-- fault inject\n  purge_effective_progs\n    /* change to dummy_bpf_prog */\n    array-\u003eitems[index] = \u0026dummy_bpf_prog.prog\n\n---softirq start---\n__do_softirq\n  ...\n    __cgroup_bpf_run_filter_skb\n      __bpf_prog_run_save_cb\n        bpf_prog_run\n          stats = this_cpu_ptr(prog-\u003estats)\n          /* invalid memory access */\n          flags = u64_stats_update_begin_irqsave(\u0026stats-\u003esyncp)\n---softirq end---\n\n  static_branch_dec(\u0026cgroup_bpf_enabled_key[atype])\n\nThe reason is that fault injection caused update_effective_progs to fail\nand then changed the original prog into dummy_bpf_prog.prog in\npurge_effective_progs. Then a softirq came, and accessing the members of\ndummy_bpf_prog.prog in the softirq triggers invalid mem access.\n\nTo fix it, skip updating stats when stats is NULL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:30:20.922Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/93d1964773ff513c9bd530f7686d3e48b786fa6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf2c990b012100610c0f1ec5c4ea434da2d080c2"
        },
        {
          "url": "https://git.kernel.org/stable/c/539137e3038ce6f953efd72110110f03c14c7d97"
        },
        {
          "url": "https://git.kernel.org/stable/c/56905bb70c8b88421709bb4e32fcba617aa37d41"
        },
        {
          "url": "https://git.kernel.org/stable/c/2579c356ccd35d06238b176e4b460978186d804b"
        },
        {
          "url": "https://git.kernel.org/stable/c/7dc211c1159d991db609bdf4b0fb9033c04adcbc"
        }
      ],
      "title": "bpf: Fix invalid prog-\u003estats access when update_effective_progs fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68742",
    "datePublished": "2025-12-24T12:09:39.341Z",
    "dateReserved": "2025-12-24T10:30:51.030Z",
    "dateUpdated": "2026-01-11T16:30:20.922Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40219 (GCVE-0-2025-40219)

Vulnerability from cvelistv5 – Published: 2025-12-04 14:50 – Updated: 2025-12-04 14:50

Title

PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Before disabling SR-IOV via config space accesses to the parent PF, sriov_disable() first removes the PCI devices representing the VFs. Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()") such removal operations are serialized against concurrent remove and rescan using the pci_rescan_remove_lock. No such locking was ever added in sriov_disable() however. In particular when commit 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device removal into sriov_del_vfs() there was still no locking around the pci_iov_remove_virtfn() calls. On s390 the lack of serialization in sriov_disable() may cause double remove and list corruption with the below (amended) trace being observed: PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56) GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001 00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480 0000000000000001 0000000000000000 0000000000000000 0000000180692828 00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8 #0 [3800313fb20] device_del at c9158ad5c #1 [3800313fb88] pci_remove_bus_device at c915105ba #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198 #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0 #4 [3800313fc60] zpci_bus_remove_device at c90fb6104 #5 [3800313fca0] __zpci_event_availability at c90fb3dca #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2 #7 [3800313fd60] crw_collect_info at c91905822 #8 [3800313fe10] kthread at c90feb390 #9 [3800313fe68] __ret_from_fork at c90f6aa64 #10 [3800313fe98] ret_from_fork at c9194f3f2. This is because in addition to sriov_disable() removing the VFs, the platform also generates hot-unplug events for the VFs. This being the reverse operation to the hotplug events generated by sriov_enable() and handled via pdev->no_vf_scan. And while the event processing takes pci_rescan_remove_lock and checks whether the struct pci_dev still exists, the lack of synchronization makes this checking racy. Other races may also be possible of course though given that this lack of locking persisted so long observable races seem very rare. Even on s390 the list corruption was only observed with certain devices since the platform events are only triggered by config accesses after the removal, so as long as the removal finished synchronously they would not race. Either way the locking is missing so fix this by adding it to the sriov_del_vfs() helper. Just like PCI rescan-remove, locking is also missing in sriov_add_vfs() including for the error case where pci_stop_and_remove_bus_device() is called without the PCI rescan-remove lock being held. Even in the non-error case, adding new PCI devices and buses should be serialized via the PCI rescan-remove lock. Add the necessary locking.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5c1cd7d405e94dc6c…
	https://git.kernel.org/stable/c/1e8a80290f964bdba…
	https://git.kernel.org/stable/c/a645ca21de09e3137…
	https://git.kernel.org/stable/c/a24219172456f035d…
	https://git.kernel.org/stable/c/36039348bca77828b…
	https://git.kernel.org/stable/c/53154cd40ccf285f1…
	https://git.kernel.org/stable/c/ee40e5db052d7c6f4…
	https://git.kernel.org/stable/c/05703271c3cdcc0f2…

Impacted products

Vendor

Product

Version

Linux

Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf (git)
Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 1e8a80290f964bdbad225221c8a1594c7e01c8fd (git)
Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < a645ca21de09e3137cbb224fa6c23cca873a1d01 (git)
Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < a24219172456f035d886857e265ca24c85b167c8 (git)
Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 36039348bca77828bf06eae41b8f76e38cd15847 (git)
Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 53154cd40ccf285f1d1c24367824082061d155bd (git)
Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < ee40e5db052d7c6f406fdb95ad639c894c74674c (git)
Affected: 18f9e9d150fccfa747875df6f0a9f606740762b3 , < 05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.157 , ≤ 6.1.* (semver)
Unaffected: 6.6.113 , ≤ 6.6.* (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/iov.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf",
              "status": "affected",
              "version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
              "versionType": "git"
            },
            {
              "lessThan": "1e8a80290f964bdbad225221c8a1594c7e01c8fd",
              "status": "affected",
              "version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
              "versionType": "git"
            },
            {
              "lessThan": "a645ca21de09e3137cbb224fa6c23cca873a1d01",
              "status": "affected",
              "version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
              "versionType": "git"
            },
            {
              "lessThan": "a24219172456f035d886857e265ca24c85b167c8",
              "status": "affected",
              "version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
              "versionType": "git"
            },
            {
              "lessThan": "36039348bca77828bf06eae41b8f76e38cd15847",
              "status": "affected",
              "version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
              "versionType": "git"
            },
            {
              "lessThan": "53154cd40ccf285f1d1c24367824082061d155bd",
              "status": "affected",
              "version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
              "versionType": "git"
            },
            {
              "lessThan": "ee40e5db052d7c6f406fdb95ad639c894c74674c",
              "status": "affected",
              "version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
              "versionType": "git"
            },
            {
              "lessThan": "05703271c3cdcc0f2a8cf6ebdc45892b8ca83520",
              "status": "affected",
              "version": "18f9e9d150fccfa747875df6f0a9f606740762b3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/iov.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV\n\nBefore disabling SR-IOV via config space accesses to the parent PF,\nsriov_disable() first removes the PCI devices representing the VFs.\n\nSince commit 9d16947b7583 (\"PCI: Add global pci_lock_rescan_remove()\")\nsuch removal operations are serialized against concurrent remove and\nrescan using the pci_rescan_remove_lock. No such locking was ever added\nin sriov_disable() however. In particular when commit 18f9e9d150fc\n(\"PCI/IOV: Factor out sriov_add_vfs()\") factored out the PCI device\nremoval into sriov_del_vfs() there was still no locking around the\npci_iov_remove_virtfn() calls.\n\nOn s390 the lack of serialization in sriov_disable() may cause double\nremove and list corruption with the below (amended) trace being observed:\n\n  PSW:  0704c00180000000 0000000c914e4b38 (klist_put+56)\n  GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001\n\t00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480\n\t0000000000000001 0000000000000000 0000000000000000 0000000180692828\n\t00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8\n  #0 [3800313fb20] device_del at c9158ad5c\n  #1 [3800313fb88] pci_remove_bus_device at c915105ba\n  #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198\n  #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0\n  #4 [3800313fc60] zpci_bus_remove_device at c90fb6104\n  #5 [3800313fca0] __zpci_event_availability at c90fb3dca\n  #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2\n  #7 [3800313fd60] crw_collect_info at c91905822\n  #8 [3800313fe10] kthread at c90feb390\n  #9 [3800313fe68] __ret_from_fork at c90f6aa64\n  #10 [3800313fe98] ret_from_fork at c9194f3f2.\n\nThis is because in addition to sriov_disable() removing the VFs, the\nplatform also generates hot-unplug events for the VFs. This being the\nreverse operation to the hotplug events generated by sriov_enable() and\nhandled via pdev-\u003eno_vf_scan. And while the event processing takes\npci_rescan_remove_lock and checks whether the struct pci_dev still exists,\nthe lack of synchronization makes this checking racy.\n\nOther races may also be possible of course though given that this lack of\nlocking persisted so long observable races seem very rare. Even on s390 the\nlist corruption was only observed with certain devices since the platform\nevents are only triggered by config accesses after the removal, so as long\nas the removal finished synchronously they would not race. Either way the\nlocking is missing so fix this by adding it to the sriov_del_vfs() helper.\n\nJust like PCI rescan-remove, locking is also missing in sriov_add_vfs()\nincluding for the error case where pci_stop_and_remove_bus_device() is\ncalled without the PCI rescan-remove lock being held. Even in the non-error\ncase, adding new PCI devices and buses should be serialized via the PCI\nrescan-remove lock. Add the necessary locking."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T14:50:42.996Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e8a80290f964bdbad225221c8a1594c7e01c8fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/a645ca21de09e3137cbb224fa6c23cca873a1d01"
        },
        {
          "url": "https://git.kernel.org/stable/c/a24219172456f035d886857e265ca24c85b167c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/36039348bca77828bf06eae41b8f76e38cd15847"
        },
        {
          "url": "https://git.kernel.org/stable/c/53154cd40ccf285f1d1c24367824082061d155bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee40e5db052d7c6f406fdb95ad639c894c74674c"
        },
        {
          "url": "https://git.kernel.org/stable/c/05703271c3cdcc0f2a8cf6ebdc45892b8ca83520"
        }
      ],
      "title": "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40219",
    "datePublished": "2025-12-04T14:50:42.996Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2025-12-04T14:50:42.996Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40223 (GCVE-0-2025-40223)

Vulnerability from cvelistv5 – Published: 2025-12-04 15:31 – Updated: 2025-12-04 15:31

Title

most: usb: Fix use-after-free in hdm_disconnect

Summary

In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5b5c478f09b1b35e7…
	https://git.kernel.org/stable/c/578eb18cd111addec…
	https://git.kernel.org/stable/c/33daf469f5294b9d0…
	https://git.kernel.org/stable/c/72427dc6f87523995…
	https://git.kernel.org/stable/c/f93a84ffb884d761a…
	https://git.kernel.org/stable/c/3a3b8e89c7201c5b3…
	https://git.kernel.org/stable/c/4b1270902609ef0d9…

Impacted products

Vendor

Product

Version

Linux

Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831 (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 578eb18cd111addec94c43f61cd4b4429e454809 (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 33daf469f5294b9d07c4fc98216cace9f4f34cc6 (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 72427dc6f87523995f4e6ae35a948bb2992cabce (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < f93a84ffb884d761a9d4e869ba29c238711e81f1 (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6 (git)
Affected: 97a6f772f36b7f52bcfa56a581bbd2470cffe23d , < 4b1270902609ef0d935ed2faa2ea6d122bd148f5 (git)

Linux

Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.196 , ≤ 5.15.* (semver)
Unaffected: 6.1.158 , ≤ 6.1.* (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/most/most_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "578eb18cd111addec94c43f61cd4b4429e454809",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "33daf469f5294b9d07c4fc98216cace9f4f34cc6",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "72427dc6f87523995f4e6ae35a948bb2992cabce",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "f93a84ffb884d761a9d4e869ba29c238711e81f1",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            },
            {
              "lessThan": "4b1270902609ef0d935ed2faa2ea6d122bd148f5",
              "status": "affected",
              "version": "97a6f772f36b7f52bcfa56a581bbd2470cffe23d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/most/most_usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.196",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.158",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.196",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.158",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmost: usb: Fix use-after-free in hdm_disconnect\n\nhdm_disconnect() calls most_deregister_interface(), which eventually\nunregisters the MOST interface device with device_unregister(iface-\u003edev).\nIf that drops the last reference, the device core may call release_mdev()\nimmediately while hdm_disconnect() is still executing.\n\nThe old code also freed several mdev-owned allocations in\nhdm_disconnect() and then performed additional put_device() calls.\nDepending on refcount order, this could lead to use-after-free or\ndouble-free when release_mdev() ran (or when unregister paths also\nperformed puts).\n\nFix by moving the frees of mdev-owned allocations into release_mdev(),\nso they happen exactly once when the device is truly released, and by\ndropping the extra put_device() calls in hdm_disconnect() that are\nredundant after device_unregister() and most_deregister_interface().\n\nThis addresses the KASAN slab-use-after-free reported by syzbot in\nhdm_disconnect(). See report and stack traces in the bug link below."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T15:31:15.158Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831"
        },
        {
          "url": "https://git.kernel.org/stable/c/578eb18cd111addec94c43f61cd4b4429e454809"
        },
        {
          "url": "https://git.kernel.org/stable/c/33daf469f5294b9d07c4fc98216cace9f4f34cc6"
        },
        {
          "url": "https://git.kernel.org/stable/c/72427dc6f87523995f4e6ae35a948bb2992cabce"
        },
        {
          "url": "https://git.kernel.org/stable/c/f93a84ffb884d761a9d4e869ba29c238711e81f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b1270902609ef0d935ed2faa2ea6d122bd148f5"
        }
      ],
      "title": "most: usb: Fix use-after-free in hdm_disconnect",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40223",
    "datePublished": "2025-12-04T15:31:15.158Z",
    "dateReserved": "2025-04-16T07:20:57.180Z",
    "dateUpdated": "2025-12-04T15:31:15.158Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-53781 (GCVE-0-2023-53781)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00

Title

smc: Fix use-after-free in tcp_write_timer_handler().

Summary

In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcp_write_timer_handler(). With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0] If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket. However, at the end of smc_clcsock_release(), the kernel socket's sk_state might not be TCP_CLOSE. This means that we have not called inet_csk_destroy_sock() in __tcp_close() and have not stopped the TCP timers. The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcp_subflow_create_socket(). [0]: leaked reference. sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108) inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244) __sock_create (net/socket.c:1546) smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284) __sock_create (net/socket.c:1546) __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661) __x64_sys_socket (net/socket.c:1672) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) ================================================================== BUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091 CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:107) print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) kasan_report (mm/kasan/report.c:538) tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022) run_timer_softirq (kernel/time/timer.c:2037) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650) irq_exit_rcu (kernel/softirq.c:664) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14)) </IRQ>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1cc41c8acfc1ee30b…
	https://git.kernel.org/stable/c/9744d2bf197627037…

Impacted products

Vendor

Product

Version

Linux

Affected: ac7138746e14137a451f8539614cdd349153e0c0 , < 1cc41c8acfc1ee30b4868559058db97fa44b0137 (git)
Affected: ac7138746e14137a451f8539614cdd349153e0c0 , < 9744d2bf19762703704ecba885b7ac282c02eacf (git)

Linux

Affected: 4.11
Unaffected: 0 , < 4.11 (semver)
Unaffected: 6.2.12 , ≤ 6.2.* (semver)
Unaffected: 6.3 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1cc41c8acfc1ee30b4868559058db97fa44b0137",
              "status": "affected",
              "version": "ac7138746e14137a451f8539614cdd349153e0c0",
              "versionType": "git"
            },
            {
              "lessThan": "9744d2bf19762703704ecba885b7ac282c02eacf",
              "status": "affected",
              "version": "ac7138746e14137a451f8539614cdd349153e0c0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.12",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix use-after-free in tcp_write_timer_handler().\n\nWith Eric\u0027s ref tracker, syzbot finally found a repro for\nuse-after-free in tcp_write_timer_handler() by kernel TCP\nsockets. [0]\n\nIf SMC creates a kernel socket in __smc_create(), the kernel\nsocket is supposed to be freed in smc_clcsock_release() by\ncalling sock_release() when we close() the parent SMC socket.\n\nHowever, at the end of smc_clcsock_release(), the kernel\nsocket\u0027s sk_state might not be TCP_CLOSE.  This means that\nwe have not called inet_csk_destroy_sock() in __tcp_close()\nand have not stopped the TCP timers.\n\nThe kernel socket\u0027s TCP timers can be fired later, so we\nneed to hold a refcnt for net as we do for MPTCP subflows\nin mptcp_subflow_create_socket().\n\n[0]:\nleaked reference.\n sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108)\n inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244)\n __sock_create (net/socket.c:1546)\n smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284)\n __sock_create (net/socket.c:1546)\n __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661)\n __x64_sys_socket (net/socket.c:1672)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n==================================================================\nBUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\nRead of size 1 at addr ffff888052b65e0d by task syzrepro/18091\n\nCPU: 0 PID: 18091 Comm: syzrepro Tainted: G        W          6.3.0-rc4-01174-gb5d54eb5899a #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:107)\n print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)\n kasan_report (mm/kasan/report.c:538)\n tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\n tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)\n run_timer_softirq (kernel/time/timer.c:2037)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)\n __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650)\n irq_exit_rcu (kernel/softirq.c:664)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))\n \u003c/IRQ\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T00:00:36.831Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1cc41c8acfc1ee30b4868559058db97fa44b0137"
        },
        {
          "url": "https://git.kernel.org/stable/c/9744d2bf19762703704ecba885b7ac282c02eacf"
        }
      ],
      "title": "smc: Fix use-after-free in tcp_write_timer_handler().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53781",
    "datePublished": "2025-12-09T00:00:36.831Z",
    "dateReserved": "2025-12-08T23:58:35.272Z",
    "dateUpdated": "2025-12-09T00:00:36.831Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68340 (GCVE-0-2025-68340)

Vulnerability from cvelistv5 – Published: 2025-12-23 13:58 – Updated: 2026-02-06 16:31

Title

team: Move team device type change at the end of team_port_add

Summary

In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the syzbot reproducer the gre0 device is already in state UP when it attempts to add it as a port device of team0, this fails but before that header_ops->create of team0 is changed from eth_header to ipgre_header in the call to team_dev_type_check_change. Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense as the private data of the device still holds a struct team. Example sequence of iproute2 commands to reproduce the hang/BUG(): ip link add dev team0 type team ip link add dev gre0 type gre ip link set dev gre0 up ip link set dev gre0 master team0 ip link set dev team0 up ping -I team0 1.1.1.1 Move team_dev_type_check_change down where all other checks have passed as it changes the dev type with no way to restore it in case one of the checks that follow it fail. Also make sure to preserve the origial mtu assignment: - If port_dev is not the same type as dev, dev takes mtu from port_dev - If port_dev is the same type as dev, port_dev takes mtu from dev This is done by adding a conditional before the call to dev_set_mtu to prevent it from assigning port_dev->mtu = dev->mtu and instead letting team_dev_type_check_change assign dev->mtu = port_dev->mtu. The conditional is needed because the patch moves the call to team_dev_type_check_change past dev_set_mtu. Testing: - team device driver in-tree selftests - Add/remove various devices as slaves of team device - syzbot

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c8b15b0d2eec3b5c7…
	https://git.kernel.org/stable/c/a74ab1b532ecc5f91…
	https://git.kernel.org/stable/c/e26235840fd961e4e…
	https://git.kernel.org/stable/c/4040b5e8963982a00…
	https://git.kernel.org/stable/c/e3eed4f038214494a…
	https://git.kernel.org/stable/c/0ae9cfc454ea5ead5…

Impacted products

Vendor

Product

Version

Linux

Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < c8b15b0d2eec3b5c7f585e5a53dfc8d36c818283 (git)
Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < a74ab1b532ecc5f9106621a8f75b4c3d04466b35 (git)
Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < e26235840fd961e4ebe5568f11a2a078cf726663 (git)
Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < 4040b5e8963982a00aa821300cb746efc9f2947e (git)
Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < e3eed4f038214494af62c7d2d64749e5108ce6ca (git)
Affected: 1d76efe1577b4323609b1bcbfafa8b731eda071a , < 0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef (git)

Linux

Affected: 3.7
Unaffected: 0 , < 3.7 (semver)
Unaffected: 5.15.199 , ≤ 5.15.* (semver)
Unaffected: 6.1.162 , ≤ 6.1.* (semver)
Unaffected: 6.6.123 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/team/team_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c8b15b0d2eec3b5c7f585e5a53dfc8d36c818283",
              "status": "affected",
              "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
              "versionType": "git"
            },
            {
              "lessThan": "a74ab1b532ecc5f9106621a8f75b4c3d04466b35",
              "status": "affected",
              "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
              "versionType": "git"
            },
            {
              "lessThan": "e26235840fd961e4ebe5568f11a2a078cf726663",
              "status": "affected",
              "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
              "versionType": "git"
            },
            {
              "lessThan": "4040b5e8963982a00aa821300cb746efc9f2947e",
              "status": "affected",
              "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
              "versionType": "git"
            },
            {
              "lessThan": "e3eed4f038214494af62c7d2d64749e5108ce6ca",
              "status": "affected",
              "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
              "versionType": "git"
            },
            {
              "lessThan": "0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef",
              "status": "affected",
              "version": "1d76efe1577b4323609b1bcbfafa8b731eda071a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/team/team_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.7"
            },
            {
              "lessThan": "3.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.199",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.123",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.199",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.123",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: Move team device type change at the end of team_port_add\n\nAttempting to add a port device that is already up will expectedly fail,\nbut not before modifying the team device header_ops.\n\nIn the case of the syzbot reproducer the gre0 device is\nalready in state UP when it attempts to add it as a\nport device of team0, this fails but before that\nheader_ops-\u003ecreate of team0 is changed from eth_header to ipgre_header\nin the call to team_dev_type_check_change.\n\nLater when we end up in ipgre_header() struct ip_tunnel* points to nonsense\nas the private data of the device still holds a struct team.\n\nExample sequence of iproute2 commands to reproduce the hang/BUG():\nip link add dev team0 type team\nip link add dev gre0 type gre\nip link set dev gre0 up\nip link set dev gre0 master team0\nip link set dev team0 up\nping -I team0 1.1.1.1\n\nMove team_dev_type_check_change down where all other checks have passed\nas it changes the dev type with no way to restore it in case\none of the checks that follow it fail.\n\nAlso make sure to preserve the origial mtu assignment:\n  - If port_dev is not the same type as dev, dev takes mtu from port_dev\n  - If port_dev is the same type as dev, port_dev takes mtu from dev\n\nThis is done by adding a conditional before the call to dev_set_mtu\nto prevent it from assigning port_dev-\u003emtu = dev-\u003emtu and instead\nletting team_dev_type_check_change assign dev-\u003emtu = port_dev-\u003emtu.\nThe conditional is needed because the patch moves the call to\nteam_dev_type_check_change past dev_set_mtu.\n\nTesting:\n  - team device driver in-tree selftests\n  - Add/remove various devices as slaves of team device\n  - syzbot"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T16:31:33.541Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c8b15b0d2eec3b5c7f585e5a53dfc8d36c818283"
        },
        {
          "url": "https://git.kernel.org/stable/c/a74ab1b532ecc5f9106621a8f75b4c3d04466b35"
        },
        {
          "url": "https://git.kernel.org/stable/c/e26235840fd961e4ebe5568f11a2a078cf726663"
        },
        {
          "url": "https://git.kernel.org/stable/c/4040b5e8963982a00aa821300cb746efc9f2947e"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3eed4f038214494af62c7d2d64749e5108ce6ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ae9cfc454ea5ead5f3ddbdfe2e70270d8e2c8ef"
        }
      ],
      "title": "team: Move team device type change at the end of team_port_add",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68340",
    "datePublished": "2025-12-23T13:58:25.841Z",
    "dateReserved": "2025-12-16T14:48:05.297Z",
    "dateUpdated": "2026-02-06T16:31:33.541Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68748 (GCVE-0-2025-68748)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2025-12-24 12:09

Title

drm/panthor: Fix UAF race between device unplug and FW event processing

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF race between device unplug and FW event processing The function panthor_fw_unplug() will free the FW memory sections. The problem is that there could still be pending FW events which are yet not handled at this point. process_fw_events_work() can in this case try to access said freed memory. Simply call disable_work_sync() to both drain and prevent future invocation of process_fw_events_work().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/31db188355a49337e…
	https://git.kernel.org/stable/c/5e3ff56d4cb591dae…
	https://git.kernel.org/stable/c/6c1da9ae2c123a9ff…
	https://git.kernel.org/stable/c/7051f6ba968fa6991…

Impacted products

Vendor

Product

Version

Linux

Affected: de85488138247d034eb3241840424a54d660926b , < 31db188355a49337e3e8ec98b99377e482eab22c (git)
Affected: de85488138247d034eb3241840424a54d660926b , < 5e3ff56d4cb591daea70786d07dc21d06dc34108 (git)
Affected: de85488138247d034eb3241840424a54d660926b , < 6c1da9ae2c123a9ffda5375e64cc81f9ed3cc04a (git)
Affected: de85488138247d034eb3241840424a54d660926b , < 7051f6ba968fa69918d72cc26de4d6cf7ea05b90 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panthor/panthor_sched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "31db188355a49337e3e8ec98b99377e482eab22c",
              "status": "affected",
              "version": "de85488138247d034eb3241840424a54d660926b",
              "versionType": "git"
            },
            {
              "lessThan": "5e3ff56d4cb591daea70786d07dc21d06dc34108",
              "status": "affected",
              "version": "de85488138247d034eb3241840424a54d660926b",
              "versionType": "git"
            },
            {
              "lessThan": "6c1da9ae2c123a9ffda5375e64cc81f9ed3cc04a",
              "status": "affected",
              "version": "de85488138247d034eb3241840424a54d660926b",
              "versionType": "git"
            },
            {
              "lessThan": "7051f6ba968fa69918d72cc26de4d6cf7ea05b90",
              "status": "affected",
              "version": "de85488138247d034eb3241840424a54d660926b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panthor/panthor_sched.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panthor: Fix UAF race between device unplug and FW event processing\n\nThe function panthor_fw_unplug() will free the FW memory sections.\nThe problem is that there could still be pending FW events which are yet\nnot handled at this point. process_fw_events_work() can in this case try\nto access said freed memory.\n\nSimply call disable_work_sync() to both drain and prevent future\ninvocation of process_fw_events_work()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:09:43.620Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/31db188355a49337e3e8ec98b99377e482eab22c"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e3ff56d4cb591daea70786d07dc21d06dc34108"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c1da9ae2c123a9ffda5375e64cc81f9ed3cc04a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7051f6ba968fa69918d72cc26de4d6cf7ea05b90"
        }
      ],
      "title": "drm/panthor: Fix UAF race between device unplug and FW event processing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68748",
    "datePublished": "2025-12-24T12:09:43.620Z",
    "dateReserved": "2025-12-24T10:30:51.032Z",
    "dateUpdated": "2025-12-24T12:09:43.620Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40170 (GCVE-0-2025-40170)

Vulnerability from cvelistv5 – Published: 2025-11-12 10:46 – Updated: 2026-01-08 09:50

Title

net: use dst_dev_rcu() in sk_setup_caps()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size(). Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), and ip_dst_mtu_maybe_forward(). ip4_dst_hoplimit() can use dst_dev_net_rcu().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5d1be493d1110c9e7…
	https://git.kernel.org/stable/c/a805729c0091073d8…
	https://git.kernel.org/stable/c/99a2ace61b211b0be…

Impacted products

Vendor

Product

Version

Linux

Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 5d1be493d1110c9e720b4c51a6e587bb2fb4ac12 (git)
Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < a805729c0091073d8f0415cfa96c7acd1bc17a48 (git)
Affected: 4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36 , < 99a2ace61b211b0be861b07fbaa062fca4b58879 (git)

Linux

Affected: 4.13
Unaffected: 0 , < 4.13 (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.17.3 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/ip.h",
            "include/net/ip6_route.h",
            "include/net/route.h",
            "net/core/sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5d1be493d1110c9e720b4c51a6e587bb2fb4ac12",
              "status": "affected",
              "version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
              "versionType": "git"
            },
            {
              "lessThan": "a805729c0091073d8f0415cfa96c7acd1bc17a48",
              "status": "affected",
              "version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
              "versionType": "git"
            },
            {
              "lessThan": "99a2ace61b211b0be861b07fbaa062fca4b58879",
              "status": "affected",
              "version": "4a6ce2b6f2ecabbddcfe47e7cf61dd0f00b10e36",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/ip.h",
            "include/net/ip6_route.h",
            "include/net/route.h",
            "net/core/sock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.3",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: use dst_dev_rcu() in sk_setup_caps()\n\nUse RCU to protect accesses to dst-\u003edev from sk_setup_caps()\nand sk_dst_gso_max_size().\n\nAlso use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),\nand ip_dst_mtu_maybe_forward().\n\nip4_dst_hoplimit() can use dst_dev_net_rcu()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-08T09:50:18.753Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5d1be493d1110c9e720b4c51a6e587bb2fb4ac12"
        },
        {
          "url": "https://git.kernel.org/stable/c/a805729c0091073d8f0415cfa96c7acd1bc17a48"
        },
        {
          "url": "https://git.kernel.org/stable/c/99a2ace61b211b0be861b07fbaa062fca4b58879"
        }
      ],
      "title": "net: use dst_dev_rcu() in sk_setup_caps()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40170",
    "datePublished": "2025-11-12T10:46:52.014Z",
    "dateReserved": "2025-04-16T07:20:57.176Z",
    "dateUpdated": "2026-01-08T09:50:18.753Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-0854 (GCVE-0-2022-0854)

Vulnerability from cvelistv5 – Published: 2022-03-23 19:46 – Updated: 2024-08-02 23:40

Summary

A memory leak flaw was found in the Linux kernel’s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space.

Severity ?

No CVSS data available.

CWE

CWE-200

Assigner

redhat

References

URL

Tags

	https://git.kernel.org/pub/scm/linux/kernel/git/t…	x_refsource_MISC
	https://www.debian.org/security/2022/dsa-5161	vendor-advisoryx_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST
	https://www.debian.org/security/2022/dsa-5173	vendor-advisoryx_refsource_DEBIAN

Impacted products

	Vendor	Product	Version
	n/a	Kernel	Affected: Linux kernel 5.17-rc8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:40:04.528Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8\u0026id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13"
          },
          {
            "name": "DSA-5161",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5161"
          },
          {
            "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html"
          },
          {
            "name": "DSA-5173",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5173"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Kernel",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Linux kernel 5.17-rc8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A memory leak flaw was found in the Linux kernel\u2019s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-04T10:11:26",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8\u0026id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13"
        },
        {
          "name": "DSA-5161",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5161"
        },
        {
          "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html"
        },
        {
          "name": "DSA-5173",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5173"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2022-0854",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Linux kernel 5.17-rc8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A memory leak flaw was found in the Linux kernel\u2019s DMA subsystem, in the way a user calls DMA_FROM_DEVICE. This flaw allows a local user to read random memory from the kernel space."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8\u0026id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/kernel/dma/swiotlb.c?h=v5.17-rc8\u0026id=aa6f8dcbab473f3a3c7454b74caa46d36cdc5d13"
            },
            {
              "name": "DSA-5161",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5161"
            },
            {
              "name": "[debian-lts-announce] 20220701 [SECURITY] [DLA 3065-1] linux security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html"
            },
            {
              "name": "DSA-5173",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5173"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2022-0854",
    "datePublished": "2022-03-23T19:46:15",
    "dateReserved": "2022-03-04T00:00:00",
    "dateUpdated": "2024-08-02T23:40:04.528Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-68208 (GCVE-0-2025-68208)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48

Title

bpf: account for current allocated stack depth in widen_imprecise_scalars()

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/64b12dca2b0abcb5f…
	https://git.kernel.org/stable/c/9944c7938cd5b3f37…
	https://git.kernel.org/stable/c/57e04e2ff56e32f92…
	https://git.kernel.org/stable/c/b0c8e6d3d866b6a7f…

Impacted products

Vendor

Product

Version

Linux

Affected: ab470fefce2837e66b771c60858118d50bb5bb10 , < 64b12dca2b0abcb5fc0542887d18b926ea5cf711 (git)
Affected: 2793a8b015f7f1caadb9bce9c63dc659f7522676 , < 9944c7938cd5b3f37b0afec0481c7c015e4f1c58 (git)
Affected: 2793a8b015f7f1caadb9bce9c63dc659f7522676 , < 57e04e2ff56e32f923154f0f7bc476fcb596ffe7 (git)
Affected: 2793a8b015f7f1caadb9bce9c63dc659f7522676 , < b0c8e6d3d866b6a7f73877f71968dbffd27b7785 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "64b12dca2b0abcb5fc0542887d18b926ea5cf711",
              "status": "affected",
              "version": "ab470fefce2837e66b771c60858118d50bb5bb10",
              "versionType": "git"
            },
            {
              "lessThan": "9944c7938cd5b3f37b0afec0481c7c015e4f1c58",
              "status": "affected",
              "version": "2793a8b015f7f1caadb9bce9c63dc659f7522676",
              "versionType": "git"
            },
            {
              "lessThan": "57e04e2ff56e32f923154f0f7bc476fcb596ffe7",
              "status": "affected",
              "version": "2793a8b015f7f1caadb9bce9c63dc659f7522676",
              "versionType": "git"
            },
            {
              "lessThan": "b0c8e6d3d866b6a7f73877f71968dbffd27b7785",
              "status": "affected",
              "version": "2793a8b015f7f1caadb9bce9c63dc659f7522676",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "6.6.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: account for current allocated stack depth in widen_imprecise_scalars()\n\nThe usage pattern for widen_imprecise_scalars() looks as follows:\n\n    prev_st = find_prev_entry(env, ...);\n    queued_st = push_stack(...);\n    widen_imprecise_scalars(env, prev_st, queued_st);\n\nWhere prev_st is an ancestor of the queued_st in the explored states\ntree. This ancestor is not guaranteed to have same allocated stack\ndepth as queued_st. E.g. in the following case:\n\n    def main():\n      for i in 1..2:\n        foo(i)        // same callsite, differnt param\n\n    def foo(i):\n      if i == 1:\n        use 128 bytes of stack\n      iterator based loop\n\nHere, for a second \u0027foo\u0027 call prev_st-\u003eallocated_stack is 128,\nwhile queued_st-\u003eallocated_stack is much smaller.\nwiden_imprecise_scalars() needs to take this into account and avoid\naccessing bpf_verifier_state-\u003eframe[*]-\u003estack out of bounds."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:48:35.298Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/64b12dca2b0abcb5fc0542887d18b926ea5cf711"
        },
        {
          "url": "https://git.kernel.org/stable/c/9944c7938cd5b3f37b0afec0481c7c015e4f1c58"
        },
        {
          "url": "https://git.kernel.org/stable/c/57e04e2ff56e32f923154f0f7bc476fcb596ffe7"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0c8e6d3d866b6a7f73877f71968dbffd27b7785"
        }
      ],
      "title": "bpf: account for current allocated stack depth in widen_imprecise_scalars()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68208",
    "datePublished": "2025-12-16T13:48:35.298Z",
    "dateReserved": "2025-12-16T13:41:40.255Z",
    "dateUpdated": "2025-12-16T13:48:35.298Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68332 (GCVE-0-2025-68332)

Vulnerability from cvelistv5 – Published: 2025-12-22 16:14 – Updated: 2026-01-19 12:18

Title

comedi: c6xdigio: Fix invalid PNP driver unregistration

Summary

In the Linux kernel, the following vulnerability has been resolved: comedi: c6xdigio: Fix invalid PNP driver unregistration The Comedi low-level driver "c6xdigio" seems to be for a parallel port connected device. When the Comedi core calls the driver's Comedi "attach" handler `c6xdigio_attach()` to configure a Comedi to use this driver, it tries to enable the parallel port PNP resources by registering a PNP driver with `pnp_register_driver()`, but ignores the return value. (The `struct pnp_driver` it uses has only the `name` and `id_table` members filled in.) The driver's Comedi "detach" handler `c6xdigio_detach()` unconditionally unregisters the PNP driver with `pnp_unregister_driver()`. It is possible for `c6xdigio_attach()` to return an error before it calls `pnp_register_driver()` and it is possible for the call to `pnp_register_driver()` to return an error (that is ignored). In both cases, the driver should not be calling `pnp_unregister_driver()` as it does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be called by the Comedi core if `c6xdigio_attach()` returns an error, or if the Comedi core decides to detach the Comedi device from the driver for some other reason.) The unconditional call to `pnp_unregister_driver()` without a previous successful call to `pnp_register_driver()` will cause `driver_unregister()` to issue a warning "Unexpected driver unregister!". This was detected by Syzbot [1]. Also, the PNP driver registration and unregistration should be done at module init and exit time, respectively, not when attaching or detaching Comedi devices to the driver. (There might be more than one Comedi device being attached to the driver, although that is unlikely.) Change the driver to do the PNP driver registration at module init time, and the unregistration at module exit time. Since `c6xdigio_detach()` now only calls `comedi_legacy_detach()`, remove the function and change the Comedi driver "detach" handler to `comedi_legacy_detach`. ------------------------------------------- [1] Syzbot sample crash report: Unexpected driver unregister! WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline] WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Modules linked in: CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline] RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41 RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8 RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000 FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0 Call Trace: <TASK> comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207 comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215 comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011 do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872 comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_sys ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/407b25bb9284d69c2…
	https://git.kernel.org/stable/c/f7fa1f4670c3c358a…
	https://git.kernel.org/stable/c/e8110402b0c24d822…
	https://git.kernel.org/stable/c/72b3627b0d3b819de…
	https://git.kernel.org/stable/c/9fd8c8ad35c8d2390…
	https://git.kernel.org/stable/c/698149d797d017816…
	https://git.kernel.org/stable/c/888f7e2847bcb9df8…
	https://git.kernel.org/stable/c/72262330f7b3ad213…

Impacted products

Vendor

Product

Version

Linux

Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 407b25bb9284d69c27309e691ab1e02f9e1c46ac (git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < f7fa1f4670c3c358a451546f0b80b9231952912d (git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < e8110402b0c24d822b0b933d87d50870d59667ef (git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 72b3627b0d3b819de49b29c2c8cb1c64d54536b9 (git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072 (git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 698149d797d0178162f394c55d4ed52aa0e0b7f6 (git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 888f7e2847bcb9df8257e656e1e837828942c53b (git)
Affected: 2c89e159cd2f386285e9522d6476dd7e801bee22 , < 72262330f7b3ad2130e800cecf02adcce3c32c77 (git)

Linux

Affected: 2.6.30
Unaffected: 0 , < 2.6.30 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.62 , ≤ 6.12.* (semver)
Unaffected: 6.17.12 , ≤ 6.17.* (semver)
Unaffected: 6.18.1 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/c6xdigio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "407b25bb9284d69c27309e691ab1e02f9e1c46ac",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            },
            {
              "lessThan": "f7fa1f4670c3c358a451546f0b80b9231952912d",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            },
            {
              "lessThan": "e8110402b0c24d822b0b933d87d50870d59667ef",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            },
            {
              "lessThan": "72b3627b0d3b819de49b29c2c8cb1c64d54536b9",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            },
            {
              "lessThan": "9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            },
            {
              "lessThan": "698149d797d0178162f394c55d4ed52aa0e0b7f6",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            },
            {
              "lessThan": "888f7e2847bcb9df8257e656e1e837828942c53b",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            },
            {
              "lessThan": "72262330f7b3ad2130e800cecf02adcce3c32c77",
              "status": "affected",
              "version": "2c89e159cd2f386285e9522d6476dd7e801bee22",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/comedi/drivers/c6xdigio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.62",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.62",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.12",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.1",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: c6xdigio: Fix invalid PNP driver unregistration\n\nThe Comedi low-level driver \"c6xdigio\" seems to be for a parallel port\nconnected device.  When the Comedi core calls the driver\u0027s Comedi\n\"attach\" handler `c6xdigio_attach()` to configure a Comedi to use this\ndriver, it tries to enable the parallel port PNP resources by\nregistering a PNP driver with `pnp_register_driver()`, but ignores the\nreturn value.  (The `struct pnp_driver` it uses has only the `name` and\n`id_table` members filled in.)  The driver\u0027s Comedi \"detach\" handler\n`c6xdigio_detach()` unconditionally unregisters the PNP driver with\n`pnp_unregister_driver()`.\n\nIt is possible for `c6xdigio_attach()` to return an error before it\ncalls `pnp_register_driver()` and it is possible for the call to\n`pnp_register_driver()` to return an error (that is ignored).  In both\ncases, the driver should not be calling `pnp_unregister_driver()` as it\ndoes in `c6xdigio_detach()`.  (Note that `c6xdigio_detach()` will be\ncalled by the Comedi core if `c6xdigio_attach()` returns an error, or if\nthe Comedi core decides to detach the Comedi device from the driver for\nsome other reason.)\n\nThe unconditional call to `pnp_unregister_driver()` without a previous\nsuccessful call to `pnp_register_driver()` will cause\n`driver_unregister()` to issue a warning \"Unexpected driver\nunregister!\".  This was detected by Syzbot [1].\n\nAlso, the PNP driver registration and unregistration should be done at\nmodule init and exit time, respectively, not when attaching or detaching\nComedi devices to the driver.  (There might be more than one Comedi\ndevice being attached to the driver, although that is unlikely.)\n\nChange the driver to do the PNP driver registration at module init time,\nand the unregistration at module exit time.  Since `c6xdigio_detach()`\nnow only calls `comedi_legacy_detach()`, remove the function and change\nthe Comedi driver \"detach\" handler to `comedi_legacy_detach`.\n\n-------------------------------------------\n[1] Syzbot sample crash report:\nUnexpected driver unregister!\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]\nWARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nModules linked in:\nCPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025\nRIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]\nRIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270\nCode: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 \u003c0f\u003e 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41\nRSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8\nRDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001\nRBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660\nR13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000\nFS:  000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0\nCall Trace:\n \u003cTASK\u003e\n comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207\n comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215\n comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011\n do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872\n comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_sys\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:18.877Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/407b25bb9284d69c27309e691ab1e02f9e1c46ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7fa1f4670c3c358a451546f0b80b9231952912d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8110402b0c24d822b0b933d87d50870d59667ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/72b3627b0d3b819de49b29c2c8cb1c64d54536b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/9fd8c8ad35c8d2390ce5ca2eb523c044bebdc072"
        },
        {
          "url": "https://git.kernel.org/stable/c/698149d797d0178162f394c55d4ed52aa0e0b7f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/888f7e2847bcb9df8257e656e1e837828942c53b"
        },
        {
          "url": "https://git.kernel.org/stable/c/72262330f7b3ad2130e800cecf02adcce3c32c77"
        }
      ],
      "title": "comedi: c6xdigio: Fix invalid PNP driver unregistration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68332",
    "datePublished": "2025-12-22T16:14:10.146Z",
    "dateReserved": "2025-12-16T14:48:05.297Z",
    "dateUpdated": "2026-01-19T12:18:18.877Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40271 (GCVE-0-2025-40271)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2026-01-02 15:33

Title

fs/proc: fix uaf in proc_readdir_de()

Summary

In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1d1596d68a6f11d28…
	https://git.kernel.org/stable/c/c81d0385500446efe…
	https://git.kernel.org/stable/c/4cba73c4c89219bee…
	https://git.kernel.org/stable/c/6f2482745e510ae1d…
	https://git.kernel.org/stable/c/67272c11f379d9aa5…
	https://git.kernel.org/stable/c/623bb26127fb581a7…
	https://git.kernel.org/stable/c/03de7ff197a3d0e17…
	https://git.kernel.org/stable/c/895b4c0c79b092d73…

Impacted products

Vendor

Product

Version

Linux

Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 1d1596d68a6f11d28f677eedf6cf5b17dbfeb491 (git)
Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < c81d0385500446efe48c305bbb83d47f2ae23a50 (git)
Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 4cba73c4c89219beef7685a47374bf88b1022369 (git)
Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 6f2482745e510ae1dacc9b090194b9c5f918d774 (git)
Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 67272c11f379d9aa5e0f6b16286b9d89b3f76046 (git)
Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 623bb26127fb581a741e880e1e1a47d79aecb6f8 (git)
Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 03de7ff197a3d0e17d0d5c58fdac99a63cba8110 (git)
Affected: 710585d4922fd315f2cada8fbe550ae8ed23e994 , < 895b4c0c79b092d732544011c3cecaf7322c36a1 (git)

Linux

Affected: 3.19
Unaffected: 0 , < 3.19 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/proc/generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1d1596d68a6f11d28f677eedf6cf5b17dbfeb491",
              "status": "affected",
              "version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
              "versionType": "git"
            },
            {
              "lessThan": "c81d0385500446efe48c305bbb83d47f2ae23a50",
              "status": "affected",
              "version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
              "versionType": "git"
            },
            {
              "lessThan": "4cba73c4c89219beef7685a47374bf88b1022369",
              "status": "affected",
              "version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
              "versionType": "git"
            },
            {
              "lessThan": "6f2482745e510ae1dacc9b090194b9c5f918d774",
              "status": "affected",
              "version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
              "versionType": "git"
            },
            {
              "lessThan": "67272c11f379d9aa5e0f6b16286b9d89b3f76046",
              "status": "affected",
              "version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
              "versionType": "git"
            },
            {
              "lessThan": "623bb26127fb581a741e880e1e1a47d79aecb6f8",
              "status": "affected",
              "version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
              "versionType": "git"
            },
            {
              "lessThan": "03de7ff197a3d0e17d0d5c58fdac99a63cba8110",
              "status": "affected",
              "version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
              "versionType": "git"
            },
            {
              "lessThan": "895b4c0c79b092d732544011c3cecaf7322c36a1",
              "status": "affected",
              "version": "710585d4922fd315f2cada8fbe550ae8ed23e994",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/proc/generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: fix uaf in proc_readdir_de()\n\nPde is erased from subdir rbtree through rb_erase(), but not set the node\nto EMPTY, which may result in uaf access.  We should use RB_CLEAR_NODE()\nset the erased node to EMPTY, then pde_subdir_next() will return NULL to\navoid uaf access.\n\nWe found an uaf issue while using stress-ng testing, need to run testcase\ngetdent and tun in the same time.  The steps of the issue is as follows:\n\n1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current\n   pde is tun3;\n\n2) in the [time windows] unregister netdevice tun3 and tun2, and erase\n   them from rbtree.  erase tun3 first, and then erase tun2.  the\n   pde(tun2) will be released to slab;\n\n3) continue to getdent process, then pde_subdir_next() will return\n   pde(tun2) which is released, it will case uaf access.\n\nCPU 0                                      |    CPU 1\n-------------------------------------------------------------------------\ntraverse dir /proc/pid/net/dev_snmp6/      |   unregister_netdevice(tun-\u003edev)   //tun3 tun2\nsys_getdents64()                           |\n  iterate_dir()                            |\n    proc_readdir()                         |\n      proc_readdir_de()                    |     snmp6_unregister_dev()\n        pde_get(de);                       |       proc_remove()\n        read_unlock(\u0026proc_subdir_lock);    |         remove_proc_subtree()\n                                           |           write_lock(\u0026proc_subdir_lock);\n        [time window]                      |           rb_erase(\u0026root-\u003esubdir_node, \u0026parent-\u003esubdir);\n                                           |           write_unlock(\u0026proc_subdir_lock);\n        read_lock(\u0026proc_subdir_lock);      |\n        next = pde_subdir_next(de);        |\n        pde_put(de);                       |\n        de = next;    //UAF                |\n\nrbtree of dev_snmp6\n                        |\n                    pde(tun3)\n                     /    \\\n                  NULL  pde(tun2)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:33:21.831Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1d1596d68a6f11d28f677eedf6cf5b17dbfeb491"
        },
        {
          "url": "https://git.kernel.org/stable/c/c81d0385500446efe48c305bbb83d47f2ae23a50"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cba73c4c89219beef7685a47374bf88b1022369"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f2482745e510ae1dacc9b090194b9c5f918d774"
        },
        {
          "url": "https://git.kernel.org/stable/c/67272c11f379d9aa5e0f6b16286b9d89b3f76046"
        },
        {
          "url": "https://git.kernel.org/stable/c/623bb26127fb581a741e880e1e1a47d79aecb6f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/03de7ff197a3d0e17d0d5c58fdac99a63cba8110"
        },
        {
          "url": "https://git.kernel.org/stable/c/895b4c0c79b092d732544011c3cecaf7322c36a1"
        }
      ],
      "title": "fs/proc: fix uaf in proc_readdir_de()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40271",
    "datePublished": "2025-12-06T21:50:53.266Z",
    "dateReserved": "2025-04-16T07:20:57.183Z",
    "dateUpdated": "2026-01-02T15:33:21.831Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68223 (GCVE-0-2025-68223)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2026-02-06 16:31

Title

drm/radeon: delete radeon_fence_process in is_signaled, no deadlock

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Delete the attempt to progress the queue when checking if fence is signaled. This avoids deadlock. dma-fence_ops::signaled can be called with the fence lock in unknown state. For radeon, the fence lock is also the wait queue lock. This can cause a self deadlock when signaled() tries to make forward progress on the wait queue. But advancing the queue is unneeded because incorrectly returning false from signaled() is perfectly acceptable. (cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d40a72d7e3bad4dfb…
	https://git.kernel.org/stable/c/9d0ed508a9e2af829…
	https://git.kernel.org/stable/c/73bc12d6a547f9571…
	https://git.kernel.org/stable/c/7e3e9b3a44c23c8ea…
	https://git.kernel.org/stable/c/9eb00b5f5697bd56b…

Impacted products

Vendor

Product

Version

Linux

Affected: 954605ca3f897ad617123279eb3404a404cce5ab , < d40a72d7e3bad4dfb311ef078f5a57362f088c7f (git)
Affected: 954605ca3f897ad617123279eb3404a404cce5ab , < 9d0ed508a9e2af82951ce7d834f58c139fc2bd9b (git)
Affected: 954605ca3f897ad617123279eb3404a404cce5ab , < 73bc12d6a547f9571ce4393acfd73c004e2df9e5 (git)
Affected: 954605ca3f897ad617123279eb3404a404cce5ab , < 7e3e9b3a44c23c8eac86a41308c05077d6d30f41 (git)
Affected: 954605ca3f897ad617123279eb3404a404cce5ab , < 9eb00b5f5697bd56baa3222c7a1426fa15bacfb5 (git)

Linux

Affected: 3.18
Unaffected: 0 , < 3.18 (semver)
Unaffected: 6.1.162 , ≤ 6.1.* (semver)
Unaffected: 6.6.123 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/radeon/radeon_fence.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d40a72d7e3bad4dfb311ef078f5a57362f088c7f",
              "status": "affected",
              "version": "954605ca3f897ad617123279eb3404a404cce5ab",
              "versionType": "git"
            },
            {
              "lessThan": "9d0ed508a9e2af82951ce7d834f58c139fc2bd9b",
              "status": "affected",
              "version": "954605ca3f897ad617123279eb3404a404cce5ab",
              "versionType": "git"
            },
            {
              "lessThan": "73bc12d6a547f9571ce4393acfd73c004e2df9e5",
              "status": "affected",
              "version": "954605ca3f897ad617123279eb3404a404cce5ab",
              "versionType": "git"
            },
            {
              "lessThan": "7e3e9b3a44c23c8eac86a41308c05077d6d30f41",
              "status": "affected",
              "version": "954605ca3f897ad617123279eb3404a404cce5ab",
              "versionType": "git"
            },
            {
              "lessThan": "9eb00b5f5697bd56baa3222c7a1426fa15bacfb5",
              "status": "affected",
              "version": "954605ca3f897ad617123279eb3404a404cce5ab",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/radeon/radeon_fence.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.18"
            },
            {
              "lessThan": "3.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.123",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.123",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: delete radeon_fence_process in is_signaled, no deadlock\n\nDelete the attempt to progress the queue when checking if fence is\nsignaled. This avoids deadlock.\n\ndma-fence_ops::signaled can be called with the fence lock in unknown\nstate. For radeon, the fence lock is also the wait queue lock. This can\ncause a self deadlock when signaled() tries to make forward progress on\nthe wait queue. But advancing the queue is unneeded because incorrectly\nreturning false from signaled() is perfectly acceptable.\n\n(cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T16:31:32.226Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d40a72d7e3bad4dfb311ef078f5a57362f088c7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d0ed508a9e2af82951ce7d834f58c139fc2bd9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/73bc12d6a547f9571ce4393acfd73c004e2df9e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e3e9b3a44c23c8eac86a41308c05077d6d30f41"
        },
        {
          "url": "https://git.kernel.org/stable/c/9eb00b5f5697bd56baa3222c7a1426fa15bacfb5"
        }
      ],
      "title": "drm/radeon: delete radeon_fence_process in is_signaled, no deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68223",
    "datePublished": "2025-12-16T13:57:16.764Z",
    "dateReserved": "2025-12-16T13:41:40.257Z",
    "dateUpdated": "2026-02-06T16:31:32.226Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50828 (GCVE-0-2022-50828)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:10 – Updated: 2026-01-02 15:04

Title

clk: zynqmp: Fix stack-out-of-bounds in strncpy`

Summary

In the Linux kernel, the following vulnerability has been resolved: clk: zynqmp: Fix stack-out-of-bounds in strncpy` "BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68" Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is longer than 15 bytes, string terminated NULL character will not be received by Linux. Add explicit NULL character at last byte to fix issues when clock name is longer. This fixes below bug reported by KASAN: ================================================================== BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68 Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3 Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT) Call trace: dump_backtrace+0x0/0x1e8 show_stack+0x14/0x20 dump_stack+0xd4/0x108 print_address_description.isra.0+0xbc/0x37c __kasan_report+0x144/0x198 kasan_report+0xc/0x18 __asan_load1+0x5c/0x68 strncpy+0x30/0x68 zynqmp_clock_probe+0x238/0x7b8 platform_drv_probe+0x6c/0xc8 really_probe+0x14c/0x418 driver_probe_device+0x74/0x130 __device_attach_driver+0xc4/0xe8 bus_for_each_drv+0xec/0x150 __device_attach+0x160/0x1d8 device_initial_probe+0x10/0x18 bus_probe_device+0xe0/0xf0 device_add+0x528/0x950 of_device_add+0x5c/0x80 of_platform_device_create_pdata+0x120/0x168 of_platform_bus_create+0x244/0x4e0 of_platform_populate+0x50/0xe8 zynqmp_firmware_probe+0x370/0x3a8 platform_drv_probe+0x6c/0xc8 really_probe+0x14c/0x418 driver_probe_device+0x74/0x130 device_driver_attach+0x94/0xa0 __driver_attach+0x70/0x108 bus_for_each_dev+0xe4/0x158 driver_attach+0x30/0x40 bus_add_driver+0x21c/0x2b8 driver_register+0xbc/0x1d0 __platform_driver_register+0x7c/0x88 zynqmp_firmware_driver_init+0x1c/0x24 do_one_initcall+0xa4/0x234 kernel_init_freeable+0x1b0/0x24c kernel_init+0x10/0x110 ret_from_fork+0x10/0x18 The buggy address belongs to the page: page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff page dumped because: kasan: bad access detected addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame: zynqmp_clock_probe+0x0/0x7b8 this frame has 3 objects: [32, 44) 'response' [64, 80) 'ret_payload' [96, 112) 'name' Memory state around the buggy address: ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2 >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5dbfcf7b080306b65…
	https://git.kernel.org/stable/c/d9e2585c3bcecb1c8…
	https://git.kernel.org/stable/c/0a07b13af04d0db73…
	https://git.kernel.org/stable/c/d66fea97671fcb516…
	https://git.kernel.org/stable/c/bce41e4ac6f5ca3b2…
	https://git.kernel.org/stable/c/dd80fb2dbf1cd8751…

Impacted products

Vendor

Product

Version

Linux

Affected: 5852b1365df4414523210e444ac7df1dec09acb4 , < 5dbfcf7b080306b65d9f756fadf46c9495793750 (git)
Affected: 5852b1365df4414523210e444ac7df1dec09acb4 , < d9e2585c3bcecb1c83febad31b9f450e93d2509e (git)
Affected: 5852b1365df4414523210e444ac7df1dec09acb4 , < 0a07b13af04d0db7325018aaa83b5ffe864790c9 (git)
Affected: 5852b1365df4414523210e444ac7df1dec09acb4 , < d66fea97671fcb516bd6d34bcc033f650ac7ee91 (git)
Affected: 5852b1365df4414523210e444ac7df1dec09acb4 , < bce41e4ac6f5ca3b22a07e8cdadc12044bbf9d3b (git)
Affected: 5852b1365df4414523210e444ac7df1dec09acb4 , < dd80fb2dbf1cd8751efbe4e53e54056f56a9b115 (git)

Linux

Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/zynqmp/clkc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5dbfcf7b080306b65d9f756fadf46c9495793750",
              "status": "affected",
              "version": "5852b1365df4414523210e444ac7df1dec09acb4",
              "versionType": "git"
            },
            {
              "lessThan": "d9e2585c3bcecb1c83febad31b9f450e93d2509e",
              "status": "affected",
              "version": "5852b1365df4414523210e444ac7df1dec09acb4",
              "versionType": "git"
            },
            {
              "lessThan": "0a07b13af04d0db7325018aaa83b5ffe864790c9",
              "status": "affected",
              "version": "5852b1365df4414523210e444ac7df1dec09acb4",
              "versionType": "git"
            },
            {
              "lessThan": "d66fea97671fcb516bd6d34bcc033f650ac7ee91",
              "status": "affected",
              "version": "5852b1365df4414523210e444ac7df1dec09acb4",
              "versionType": "git"
            },
            {
              "lessThan": "bce41e4ac6f5ca3b22a07e8cdadc12044bbf9d3b",
              "status": "affected",
              "version": "5852b1365df4414523210e444ac7df1dec09acb4",
              "versionType": "git"
            },
            {
              "lessThan": "dd80fb2dbf1cd8751efbe4e53e54056f56a9b115",
              "status": "affected",
              "version": "5852b1365df4414523210e444ac7df1dec09acb4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/zynqmp/clkc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: zynqmp: Fix stack-out-of-bounds in strncpy`\n\n\"BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68\"\n\nLinux-ATF interface is using 16 bytes of SMC payload. In case clock name is\nlonger than 15 bytes, string terminated NULL character will not be received\nby Linux. Add explicit NULL character at last byte to fix issues when clock\nname is longer.\n\nThis fixes below bug reported by KASAN:\n\n ==================================================================\n BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68\n Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1\n\n CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3\n Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT)\n Call trace:\n  dump_backtrace+0x0/0x1e8\n  show_stack+0x14/0x20\n  dump_stack+0xd4/0x108\n  print_address_description.isra.0+0xbc/0x37c\n  __kasan_report+0x144/0x198\n  kasan_report+0xc/0x18\n  __asan_load1+0x5c/0x68\n  strncpy+0x30/0x68\n  zynqmp_clock_probe+0x238/0x7b8\n  platform_drv_probe+0x6c/0xc8\n  really_probe+0x14c/0x418\n  driver_probe_device+0x74/0x130\n  __device_attach_driver+0xc4/0xe8\n  bus_for_each_drv+0xec/0x150\n  __device_attach+0x160/0x1d8\n  device_initial_probe+0x10/0x18\n  bus_probe_device+0xe0/0xf0\n  device_add+0x528/0x950\n  of_device_add+0x5c/0x80\n  of_platform_device_create_pdata+0x120/0x168\n  of_platform_bus_create+0x244/0x4e0\n  of_platform_populate+0x50/0xe8\n  zynqmp_firmware_probe+0x370/0x3a8\n  platform_drv_probe+0x6c/0xc8\n  really_probe+0x14c/0x418\n  driver_probe_device+0x74/0x130\n  device_driver_attach+0x94/0xa0\n  __driver_attach+0x70/0x108\n  bus_for_each_dev+0xe4/0x158\n  driver_attach+0x30/0x40\n  bus_add_driver+0x21c/0x2b8\n  driver_register+0xbc/0x1d0\n  __platform_driver_register+0x7c/0x88\n  zynqmp_firmware_driver_init+0x1c/0x24\n  do_one_initcall+0xa4/0x234\n  kernel_init_freeable+0x1b0/0x24c\n  kernel_init+0x10/0x110\n  ret_from_fork+0x10/0x18\n\n The buggy address belongs to the page:\n page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0\n raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000ffffffff\n page dumped because: kasan: bad access detected\n\n addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame:\n  zynqmp_clock_probe+0x0/0x7b8\n\n this frame has 3 objects:\n  [32, 44) \u0027response\u0027\n  [64, 80) \u0027ret_payload\u0027\n  [96, 112) \u0027name\u0027\n\n Memory state around the buggy address:\n  ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2\n \u003effff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n                          ^\n  ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n =================================================================="
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:04:51.535Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5dbfcf7b080306b65d9f756fadf46c9495793750"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9e2585c3bcecb1c83febad31b9f450e93d2509e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a07b13af04d0db7325018aaa83b5ffe864790c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/d66fea97671fcb516bd6d34bcc033f650ac7ee91"
        },
        {
          "url": "https://git.kernel.org/stable/c/bce41e4ac6f5ca3b22a07e8cdadc12044bbf9d3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd80fb2dbf1cd8751efbe4e53e54056f56a9b115"
        }
      ],
      "title": "clk: zynqmp: Fix stack-out-of-bounds in strncpy`",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50828",
    "datePublished": "2025-12-30T12:10:50.757Z",
    "dateReserved": "2025-12-30T12:06:07.132Z",
    "dateUpdated": "2026-01-02T15:04:51.535Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68259 (GCVE-0-2025-68259)

Vulnerability from cvelistv5 – Published: 2025-12-16 14:45 – Updated: 2026-01-11 16:29

Title

KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn instruction, discard the exception and retry the instruction if the code stream is changed (e.g. by a different vCPU) between when the CPU executes the instruction and when KVM decodes the instruction to get the next RIP. As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction"), failure to verify that the correct INTn instruction was decoded can effectively clobber guest state due to decoding the wrong instruction and thus specifying the wrong next RIP. The bug most often manifests as "Oops: int3" panics on static branch checks in Linux guests. Enabling or disabling a static branch in Linux uses the kernel's "text poke" code patching mechanism. To modify code while other CPUs may be executing that code, Linux (temporarily) replaces the first byte of the original instruction with an int3 (opcode 0xcc), then patches in the new code stream except for the first byte, and finally replaces the int3 with the first byte of the new code stream. If a CPU hits the int3, i.e. executes the code while it's being modified, then the guest kernel must look up the RIP to determine how to handle the #BP, e.g. by emulating the new instruction. If the RIP is incorrect, then this lookup fails and the guest kernel panics. The bug reproduces almost instantly by hacking the guest kernel to repeatedly check a static branch[1] while running a drgn script[2] on the host to constantly swap out the memory containing the guest's TSS. [1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a [2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2e84a018c2895c05a…
	https://git.kernel.org/stable/c/152289a51107ef45b…
	https://git.kernel.org/stable/c/87cc1622c88a48889…
	https://git.kernel.org/stable/c/54bcccc2c7805a00a…
	https://git.kernel.org/stable/c/53903ac9ca1abffa2…
	https://git.kernel.org/stable/c/4da3768e1820cf15c…

Impacted products

Vendor

Product

Version

Linux

Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 2e84a018c2895c05abe213eb10db128aa45f6ec6 (git)
Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 152289a51107ef45bbfe9b4aeeaa584a503042b5 (git)
Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 87cc1622c88a4888959d64fa1fc9ba1e264aa3d4 (git)
Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 54bcccc2c7805a00af1d7d2faffd6f424c0133aa (git)
Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 53903ac9ca1abffa27327e85075ec496fa55ccf3 (git)
Affected: 6ef88d6e36c2b4b3886ec9967cafabe4424d27d5 , < 4da3768e1820cf15cced390242d8789aed34f54d (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.62 , ≤ 6.12.* (semver)
Unaffected: 6.17.12 , ≤ 6.17.* (semver)
Unaffected: 6.18.1 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/kvm_host.h",
            "arch/x86/kvm/svm/svm.c",
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2e84a018c2895c05abe213eb10db128aa45f6ec6",
              "status": "affected",
              "version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
              "versionType": "git"
            },
            {
              "lessThan": "152289a51107ef45bbfe9b4aeeaa584a503042b5",
              "status": "affected",
              "version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
              "versionType": "git"
            },
            {
              "lessThan": "87cc1622c88a4888959d64fa1fc9ba1e264aa3d4",
              "status": "affected",
              "version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
              "versionType": "git"
            },
            {
              "lessThan": "54bcccc2c7805a00af1d7d2faffd6f424c0133aa",
              "status": "affected",
              "version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
              "versionType": "git"
            },
            {
              "lessThan": "53903ac9ca1abffa27327e85075ec496fa55ccf3",
              "status": "affected",
              "version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
              "versionType": "git"
            },
            {
              "lessThan": "4da3768e1820cf15cced390242d8789aed34f54d",
              "status": "affected",
              "version": "6ef88d6e36c2b4b3886ec9967cafabe4424d27d5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/kvm_host.h",
            "arch/x86/kvm/svm/svm.c",
            "arch/x86/kvm/x86.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.62",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.62",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.12",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.1",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Don\u0027t skip unrelated instruction if INT3/INTO is replaced\n\nWhen re-injecting a soft interrupt from an INT3, INT0, or (select) INTn\ninstruction, discard the exception and retry the instruction if the code\nstream is changed (e.g. by a different vCPU) between when the CPU\nexecutes the instruction and when KVM decodes the instruction to get the\nnext RIP.\n\nAs effectively predicted by commit 6ef88d6e36c2 (\"KVM: SVM: Re-inject\nINT3/INTO instead of retrying the instruction\"), failure to verify that\nthe correct INTn instruction was decoded can effectively clobber guest\nstate due to decoding the wrong instruction and thus specifying the\nwrong next RIP.\n\nThe bug most often manifests as \"Oops: int3\" panics on static branch\nchecks in Linux guests.  Enabling or disabling a static branch in Linux\nuses the kernel\u0027s \"text poke\" code patching mechanism.  To modify code\nwhile other CPUs may be executing that code, Linux (temporarily)\nreplaces the first byte of the original instruction with an int3 (opcode\n0xcc), then patches in the new code stream except for the first byte,\nand finally replaces the int3 with the first byte of the new code\nstream.  If a CPU hits the int3, i.e. executes the code while it\u0027s being\nmodified, then the guest kernel must look up the RIP to determine how to\nhandle the #BP, e.g. by emulating the new instruction.  If the RIP is\nincorrect, then this lookup fails and the guest kernel panics.\n\nThe bug reproduces almost instantly by hacking the guest kernel to\nrepeatedly check a static branch[1] while running a drgn script[2] on\nthe host to constantly swap out the memory containing the guest\u0027s TSS.\n\n[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a\n[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:29:34.616Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2e84a018c2895c05abe213eb10db128aa45f6ec6"
        },
        {
          "url": "https://git.kernel.org/stable/c/152289a51107ef45bbfe9b4aeeaa584a503042b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/87cc1622c88a4888959d64fa1fc9ba1e264aa3d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/54bcccc2c7805a00af1d7d2faffd6f424c0133aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/53903ac9ca1abffa27327e85075ec496fa55ccf3"
        },
        {
          "url": "https://git.kernel.org/stable/c/4da3768e1820cf15cced390242d8789aed34f54d"
        }
      ],
      "title": "KVM: SVM: Don\u0027t skip unrelated instruction if INT3/INTO is replaced",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68259",
    "datePublished": "2025-12-16T14:45:01.753Z",
    "dateReserved": "2025-12-16T13:41:40.267Z",
    "dateUpdated": "2026-01-11T16:29:34.616Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50876 (GCVE-0-2022-50876)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:23 – Updated: 2026-01-02 15:05

Title

usb: musb: Fix musb_gadget.c rxstate overflow bug

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: musb: Fix musb_gadget.c rxstate overflow bug The usb function device call musb_gadget_queue() adds the passed request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) and (is_buffer_mapped(req) return false),the rxstate() will copy all data in fifo to request->buf which may cause request->buf out of bounds. Fix it by add the length check : fifocnt = min_t(unsigned, request->length - request->actual, fifocnt);

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/826f84ab04a5cafe4…
	https://git.kernel.org/stable/c/a1008c8b9f357691c…
	https://git.kernel.org/stable/c/7c80f3a918ba9aa26…
	https://git.kernel.org/stable/c/d6afcab1b48f40512…
	https://git.kernel.org/stable/c/acf0006f2b2b2ca67…
	https://git.kernel.org/stable/c/3c84c7f592c4ba38f…
	https://git.kernel.org/stable/c/a9ccd2ab1becf5dcb…
	https://git.kernel.org/stable/c/523313881f0aa5cbb…
	https://git.kernel.org/stable/c/eea4c860c3b366369…

Impacted products

Vendor

Product

Version

Linux

Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < 826f84ab04a5cafe484ea9c2c85a3930068e5cb7 (git)
Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < a1008c8b9f357691ce6a8fdb8f157aecb2d79167 (git)
Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < 7c80f3a918ba9aa26fb699ee887064ec3af0396a (git)
Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < d6afcab1b48f4051211c50145b9e91be3b1b42c9 (git)
Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < acf0006f2b2b2ca672988875fd154429aafb2a9b (git)
Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < 3c84c7f592c4ba38f54ddaddd0115acc443025db (git)
Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < a9ccd2ab1becf5dcb6d57e9fcd981f5eaa606c96 (git)
Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < 523313881f0aa5cbbdb548ce575b6e58b202bd76 (git)
Affected: 03840fad004ce8a56bc8b3bb60a2df10f6f9481e , < eea4c860c3b366369eff0489d94ee4f0571d467d (git)

Linux

Affected: 4.3
Unaffected: 0 , < 4.3 (semver)
Unaffected: 4.9.331 , ≤ 4.9.* (semver)
Unaffected: 4.14.296 , ≤ 4.14.* (semver)
Unaffected: 4.19.262 , ≤ 4.19.* (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/musb/musb_gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "826f84ab04a5cafe484ea9c2c85a3930068e5cb7",
              "status": "affected",
              "version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
              "versionType": "git"
            },
            {
              "lessThan": "a1008c8b9f357691ce6a8fdb8f157aecb2d79167",
              "status": "affected",
              "version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
              "versionType": "git"
            },
            {
              "lessThan": "7c80f3a918ba9aa26fb699ee887064ec3af0396a",
              "status": "affected",
              "version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
              "versionType": "git"
            },
            {
              "lessThan": "d6afcab1b48f4051211c50145b9e91be3b1b42c9",
              "status": "affected",
              "version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
              "versionType": "git"
            },
            {
              "lessThan": "acf0006f2b2b2ca672988875fd154429aafb2a9b",
              "status": "affected",
              "version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
              "versionType": "git"
            },
            {
              "lessThan": "3c84c7f592c4ba38f54ddaddd0115acc443025db",
              "status": "affected",
              "version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
              "versionType": "git"
            },
            {
              "lessThan": "a9ccd2ab1becf5dcb6d57e9fcd981f5eaa606c96",
              "status": "affected",
              "version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
              "versionType": "git"
            },
            {
              "lessThan": "523313881f0aa5cbbdb548ce575b6e58b202bd76",
              "status": "affected",
              "version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
              "versionType": "git"
            },
            {
              "lessThan": "eea4c860c3b366369eff0489d94ee4f0571d467d",
              "status": "affected",
              "version": "03840fad004ce8a56bc8b3bb60a2df10f6f9481e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/musb/musb_gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.331",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.262",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.331",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.296",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.262",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: musb: Fix musb_gadget.c rxstate overflow bug\n\nThe usb function device call musb_gadget_queue() adds the passed\nrequest to musb_ep::req_list,If the (request-\u003elength \u003e musb_ep-\u003epacket_sz)\nand (is_buffer_mapped(req) return false),the rxstate() will copy all data\nin fifo to request-\u003ebuf which may cause request-\u003ebuf out of bounds.\n\nFix it by add the length check :\nfifocnt = min_t(unsigned, request-\u003elength - request-\u003eactual, fifocnt);"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:05:10.481Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/826f84ab04a5cafe484ea9c2c85a3930068e5cb7"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1008c8b9f357691ce6a8fdb8f157aecb2d79167"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c80f3a918ba9aa26fb699ee887064ec3af0396a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d6afcab1b48f4051211c50145b9e91be3b1b42c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/acf0006f2b2b2ca672988875fd154429aafb2a9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c84c7f592c4ba38f54ddaddd0115acc443025db"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9ccd2ab1becf5dcb6d57e9fcd981f5eaa606c96"
        },
        {
          "url": "https://git.kernel.org/stable/c/523313881f0aa5cbbdb548ce575b6e58b202bd76"
        },
        {
          "url": "https://git.kernel.org/stable/c/eea4c860c3b366369eff0489d94ee4f0571d467d"
        }
      ],
      "title": "usb: musb: Fix musb_gadget.c rxstate overflow bug",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50876",
    "datePublished": "2025-12-30T12:23:16.790Z",
    "dateReserved": "2025-12-30T12:06:07.137Z",
    "dateUpdated": "2026-01-02T15:05:10.481Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68217 (GCVE-0-2025-68217)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:57 – Updated: 2025-12-16 13:57

Title

Input: pegasus-notetaker - fix potential out-of-bounds access

Summary

In the Linux kernel, the following vulnerability has been resolved: Input: pegasus-notetaker - fix potential out-of-bounds access In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c4e746651bd74c38f…
	https://git.kernel.org/stable/c/36bc92b838ff72f62…
	https://git.kernel.org/stable/c/015b719962696b793…
	https://git.kernel.org/stable/c/084264e10e2ae8938…
	https://git.kernel.org/stable/c/d344ea1baf1946c90…
	https://git.kernel.org/stable/c/9ab67eff6d654e34b…
	https://git.kernel.org/stable/c/763c3f4d2394a697d…
	https://git.kernel.org/stable/c/69aeb507312306f73…

Impacted products

Vendor

Product

Version

Linux

Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < c4e746651bd74c38f581e1cf31651119a94de8cd (git)
Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 36bc92b838ff72f62f2c17751a9013b29ead2513 (git)
Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 015b719962696b793997e8deefac019f816aca77 (git)
Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 084264e10e2ae8938a54355123ad977eb9df56d6 (git)
Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479 (git)
Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 9ab67eff6d654e34ba6da07c64761aa87c2a3c26 (git)
Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 763c3f4d2394a697d14af1335d3bb42f05c9409f (git)
Affected: 1afca2b66aac7ac262d3511c68725e9e7053b40f , < 69aeb507312306f73495598a055293fa749d454e (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.118 , ≤ 6.6.* (semver)
Unaffected: 6.12.60 , ≤ 6.12.* (semver)
Unaffected: 6.17.10 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/input/tablet/pegasus_notetaker.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c4e746651bd74c38f581e1cf31651119a94de8cd",
              "status": "affected",
              "version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
              "versionType": "git"
            },
            {
              "lessThan": "36bc92b838ff72f62f2c17751a9013b29ead2513",
              "status": "affected",
              "version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
              "versionType": "git"
            },
            {
              "lessThan": "015b719962696b793997e8deefac019f816aca77",
              "status": "affected",
              "version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
              "versionType": "git"
            },
            {
              "lessThan": "084264e10e2ae8938a54355123ad977eb9df56d6",
              "status": "affected",
              "version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
              "versionType": "git"
            },
            {
              "lessThan": "d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479",
              "status": "affected",
              "version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
              "versionType": "git"
            },
            {
              "lessThan": "9ab67eff6d654e34ba6da07c64761aa87c2a3c26",
              "status": "affected",
              "version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
              "versionType": "git"
            },
            {
              "lessThan": "763c3f4d2394a697d14af1335d3bb42f05c9409f",
              "status": "affected",
              "version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
              "versionType": "git"
            },
            {
              "lessThan": "69aeb507312306f73495598a055293fa749d454e",
              "status": "affected",
              "version": "1afca2b66aac7ac262d3511c68725e9e7053b40f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/input/tablet/pegasus_notetaker.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.118",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.60",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.118",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.60",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.10",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: pegasus-notetaker - fix potential out-of-bounds access\n\nIn the pegasus_notetaker driver, the pegasus_probe() function allocates\nthe URB transfer buffer using the wMaxPacketSize value from\nthe endpoint descriptor. An attacker can use a malicious USB descriptor\nto force the allocation of a very small buffer.\n\nSubsequently, if the device sends an interrupt packet with a specific\npattern (e.g., where the first byte is 0x80 or 0x42),\nthe pegasus_parse_packet() function parses the packet without checking\nthe allocated buffer size. This leads to an out-of-bounds memory access."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:57:12.011Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c4e746651bd74c38f581e1cf31651119a94de8cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/36bc92b838ff72f62f2c17751a9013b29ead2513"
        },
        {
          "url": "https://git.kernel.org/stable/c/015b719962696b793997e8deefac019f816aca77"
        },
        {
          "url": "https://git.kernel.org/stable/c/084264e10e2ae8938a54355123ad977eb9df56d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/d344ea1baf1946c90f0cd6f9daeb5f3e0a0ca479"
        },
        {
          "url": "https://git.kernel.org/stable/c/9ab67eff6d654e34ba6da07c64761aa87c2a3c26"
        },
        {
          "url": "https://git.kernel.org/stable/c/763c3f4d2394a697d14af1335d3bb42f05c9409f"
        },
        {
          "url": "https://git.kernel.org/stable/c/69aeb507312306f73495598a055293fa749d454e"
        }
      ],
      "title": "Input: pegasus-notetaker - fix potential out-of-bounds access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68217",
    "datePublished": "2025-12-16T13:57:12.011Z",
    "dateReserved": "2025-12-16T13:41:40.256Z",
    "dateUpdated": "2025-12-16T13:57:12.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50767 (GCVE-0-2022-50767)

Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2026-01-02 15:04

Title

fbdev: smscufx: Fix several use-after-free bugs

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: Fix several use-after-free bugs Several types of UAFs can occur when physically removing a USB device. Adds ufx_ops_destroy() function to .fb_destroy of fb_ops, and in this function, there is kref_put() that finally calls ufx_free(). This fix prevents multiple UAFs.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6f2075ea883e5d773…
	https://git.kernel.org/stable/c/3f40852d671072836…
	https://git.kernel.org/stable/c/70faf9d9b6cc74418…
	https://git.kernel.org/stable/c/5385af2f89bc352fb…
	https://git.kernel.org/stable/c/d9ddfeb01fb95ffbb…
	https://git.kernel.org/stable/c/cc6a7249842fceda7…
	https://git.kernel.org/stable/c/8d924b262f3178a9b…
	https://git.kernel.org/stable/c/cc67482c9e5f2c80d…

Impacted products

Vendor

Product

Version

Linux

Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 6f2075ea883e5d7730d0c9ebb1bb8e7a1a7e953f (git)
Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 3f40852d671072836fb7ae331a1f28a24223c4e8 (git)
Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 70faf9d9b6cc74418716bbf76fe75bd2da10ad4a (git)
Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 5385af2f89bc352fb70753ab41b2bb036190141f (git)
Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < d9ddfeb01fb95ffbbc7031d46a5ee2a5e45cbb86 (git)
Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < cc6a7249842fceda7574ceb63275a2d5e99d2862 (git)
Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < 8d924b262f3178a9b17c17d4306a9f426c508bd9 (git)
Affected: 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 , < cc67482c9e5f2c80d62f623bcc347c29f9f648e1 (git)

Linux

Affected: 3.2
Unaffected: 0 , < 3.2 (semver)
Unaffected: 4.9.332 , ≤ 4.9.* (semver)
Unaffected: 4.14.298 , ≤ 4.14.* (semver)
Unaffected: 4.19.264 , ≤ 4.19.* (semver)
Unaffected: 5.4.223 , ≤ 5.4.* (semver)
Unaffected: 5.10.153 , ≤ 5.10.* (semver)
Unaffected: 5.15.77 , ≤ 5.15.* (semver)
Unaffected: 6.0.7 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/smscufx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6f2075ea883e5d7730d0c9ebb1bb8e7a1a7e953f",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "3f40852d671072836fb7ae331a1f28a24223c4e8",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "70faf9d9b6cc74418716bbf76fe75bd2da10ad4a",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "5385af2f89bc352fb70753ab41b2bb036190141f",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "d9ddfeb01fb95ffbbc7031d46a5ee2a5e45cbb86",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "cc6a7249842fceda7574ceb63275a2d5e99d2862",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "8d924b262f3178a9b17c17d4306a9f426c508bd9",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            },
            {
              "lessThan": "cc67482c9e5f2c80d62f623bcc347c29f9f648e1",
              "status": "affected",
              "version": "3c8a63e22a0802fd56380f6ab305b419f18eb6f5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/smscufx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.332",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.298",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.264",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.223",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.332",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.298",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.264",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.223",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.153",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.77",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.7",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: Fix several use-after-free bugs\n\nSeveral types of UAFs can occur when physically removing a USB device.\n\nAdds ufx_ops_destroy() function to .fb_destroy of fb_ops, and\nin this function, there is kref_put() that finally calls ufx_free().\n\nThis fix prevents multiple UAFs."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:04:30.518Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6f2075ea883e5d7730d0c9ebb1bb8e7a1a7e953f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f40852d671072836fb7ae331a1f28a24223c4e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/70faf9d9b6cc74418716bbf76fe75bd2da10ad4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5385af2f89bc352fb70753ab41b2bb036190141f"
        },
        {
          "url": "https://git.kernel.org/stable/c/d9ddfeb01fb95ffbbc7031d46a5ee2a5e45cbb86"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc6a7249842fceda7574ceb63275a2d5e99d2862"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d924b262f3178a9b17c17d4306a9f426c508bd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc67482c9e5f2c80d62f623bcc347c29f9f648e1"
        }
      ],
      "title": "fbdev: smscufx: Fix several use-after-free bugs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50767",
    "datePublished": "2025-12-24T13:05:57.569Z",
    "dateReserved": "2025-12-24T13:02:21.546Z",
    "dateUpdated": "2026-01-02T15:04:30.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49545 (GCVE-0-2022-49545)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:13 – Updated: 2025-12-23 13:24

Title

ALSA: usb-audio: Cancel pending work at closing a MIDI substream

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Cancel pending work at closing a MIDI substream At closing a USB MIDI output substream, there might be still a pending work, which would eventually access the rawmidi runtime object that is being released. For fixing the race, make sure to cancel the pending work at closing.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/40bdb5ec957aca5c5…
	https://git.kernel.org/stable/c/11868ca2158556165…
	https://git.kernel.org/stable/c/5e5fe2b6065541c62…
	https://git.kernel.org/stable/c/517dcef4d2dda0132…
	https://git.kernel.org/stable/c/0125de38122f0f66b…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 40bdb5ec957aca5c5c1924602bef6b0ab18e22d3 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 11868ca21585561659c2575b0d6508ef8e9c4291 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5e5fe2b6065541c6216a7a003b0cddf386be0d2d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 517dcef4d2dda0132648f1e4c079ed17bba4d1a4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0125de38122f0f66bf61336158d12a1aabfe6425 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.10.121 , ≤ 5.10.* (semver)
Unaffected: 5.15.46 , ≤ 5.15.* (semver)
Unaffected: 5.17.14 , ≤ 5.17.* (semver)
Unaffected: 5.18.3 , ≤ 5.18.* (semver)
Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/midi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "40bdb5ec957aca5c5c1924602bef6b0ab18e22d3",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "11868ca21585561659c2575b0d6508ef8e9c4291",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5e5fe2b6065541c6216a7a003b0cddf386be0d2d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "517dcef4d2dda0132648f1e4c079ed17bba4d1a4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0125de38122f0f66bf61336158d12a1aabfe6425",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/midi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.121",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.121",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.46",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.3",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Cancel pending work at closing a MIDI substream\n\nAt closing a USB MIDI output substream, there might be still a pending\nwork, which would eventually access the rawmidi runtime object that is\nbeing released.  For fixing the race, make sure to cancel the pending\nwork at closing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:24:38.484Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/40bdb5ec957aca5c5c1924602bef6b0ab18e22d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/11868ca21585561659c2575b0d6508ef8e9c4291"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e5fe2b6065541c6216a7a003b0cddf386be0d2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/517dcef4d2dda0132648f1e4c079ed17bba4d1a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/0125de38122f0f66bf61336158d12a1aabfe6425"
        }
      ],
      "title": "ALSA: usb-audio: Cancel pending work at closing a MIDI substream",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49545",
    "datePublished": "2025-02-26T02:13:58.363Z",
    "dateReserved": "2025-02-26T02:08:31.590Z",
    "dateUpdated": "2025-12-23T13:24:38.484Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68813 (GCVE-0-2025-68813)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-01-19 12:19

Title

ipvs: fix ipv4 null-ptr-deref in route error path

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure(). The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dd72a93c80408f063…
	https://git.kernel.org/stable/c/312d7cd88882fc6ca…
	https://git.kernel.org/stable/c/cdeff10851c37a002…
	https://git.kernel.org/stable/c/4729ff0581fbb7ad0…
	https://git.kernel.org/stable/c/25ab24df31f7af843…
	https://git.kernel.org/stable/c/689a627d14788ad77…
	https://git.kernel.org/stable/c/ad891bb3d079a46a8…

Impacted products

Vendor

Product

Version

Linux

Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < dd72a93c80408f06327dd2d956eb1a656d0b5903 (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 312d7cd88882fc6cadcc08b02287497aaaf94bcd (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < cdeff10851c37a002d87a035818ebd60fdb74447 (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 4729ff0581fbb7ad098b6153b76b6f5aac94618a (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 25ab24df31f7af843c96a38e0781b9165216e1a8 (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 689a627d14788ad772e0fa24c2e57a23dbc7ce90 (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < ad891bb3d079a46a821bf2b8867854645191bab0 (git)
Affected: 6c2fa855d8178699706b1192db2f1f8102b0ba1e (git)
Affected: fbf569d2beee2a4a7a0bc8b619c26101d1211a88 (git)
Affected: ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38 (git)
Affected: 3d988fcddbe7b8673a231958bd2fba61b5a7ced9 (git)
Affected: 8a430e56a6485267a1b2d3747209d26c54d1a34b (git)
Affected: 6bd1ee0a993fc9574ae43c1994c54a60cb23a380 (git)

Linux

Affected: 5.1
Unaffected: 0 , < 5.1 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.18.3 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc2 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_xmit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dd72a93c80408f06327dd2d956eb1a656d0b5903",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "312d7cd88882fc6cadcc08b02287497aaaf94bcd",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "cdeff10851c37a002d87a035818ebd60fdb74447",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "4729ff0581fbb7ad098b6153b76b6f5aac94618a",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "25ab24df31f7af843c96a38e0781b9165216e1a8",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "689a627d14788ad772e0fa24c2e57a23dbc7ce90",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "ad891bb3d079a46a821bf2b8867854645191bab0",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6c2fa855d8178699706b1192db2f1f8102b0ba1e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fbf569d2beee2a4a7a0bc8b619c26101d1211a88",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3d988fcddbe7b8673a231958bd2fba61b5a7ced9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8a430e56a6485267a1b2d3747209d26c54d1a34b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6bd1ee0a993fc9574ae43c1994c54a60cb23a380",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_xmit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc2",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.18.139",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.171",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.114",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.0.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix ipv4 null-ptr-deref in route error path\n\nThe IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()\nwithout ensuring skb-\u003edev is set, leading to a NULL pointer dereference\nin fib_compute_spec_dst() when ipv4_link_failure() attempts to send\nICMP destination unreachable messages.\n\nThe issue emerged after commit ed0de45a1008 (\"ipv4: recompile ip options\nin ipv4_link_failure\") started calling __ip_options_compile() from\nipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()\nwhich dereferences skb-\u003edev. An attempt was made to fix the NULL skb-\u003edev\ndereference in commit 0113d9c9d1cc (\"ipv4: fix null-deref in\nipv4_link_failure\"), but it only addressed the immediate dev_net(skb-\u003edev)\ndereference by using a fallback device. The fix was incomplete because\nfib_compute_spec_dst() later in the call chain still accesses skb-\u003edev\ndirectly, which remains NULL when IPVS calls dst_link_failure().\n\nThe crash occurs when:\n1. IPVS processes a packet in NAT mode with a misconfigured destination\n2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route\n3. The error path calls dst_link_failure(skb) with skb-\u003edev == NULL\n4. ipv4_link_failure() \u2192 ipv4_send_dest_unreach() \u2192\n   __ip_options_compile() \u2192 fib_compute_spec_dst()\n5. fib_compute_spec_dst() dereferences NULL skb-\u003edev\n\nApply the same fix used for IPv6 in commit 326bf17ea5d4 (\"ipvs: fix\nipv6 route unreach panic\"): set skb-\u003edev from skb_dst(skb)-\u003edev before\ncalling dst_link_failure().\n\nKASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]\nCPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2\nRIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233\nRIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285\nCall Trace:\n  \u003cTASK\u003e\n  spec_dst_fill net/ipv4/ip_options.c:232\n  spec_dst_fill net/ipv4/ip_options.c:229\n  __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330\n  ipv4_send_dest_unreach net/ipv4/route.c:1252\n  ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265\n  dst_link_failure include/net/dst.h:437\n  __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412\n  ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:19:17.898Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903"
        },
        {
          "url": "https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447"
        },
        {
          "url": "https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a"
        },
        {
          "url": "https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0"
        }
      ],
      "title": "ipvs: fix ipv4 null-ptr-deref in route error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68813",
    "datePublished": "2026-01-13T15:29:18.483Z",
    "dateReserved": "2025-12-24T10:30:51.047Z",
    "dateUpdated": "2026-01-19T12:19:17.898Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40277 (GCVE-0-2025-40277)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:51 – Updated: 2025-12-06 21:51

Title

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e58559845021c3bad…
	https://git.kernel.org/stable/c/54d458b244893e47b…
	https://git.kernel.org/stable/c/709e5c088f9c99a5c…
	https://git.kernel.org/stable/c/a3abb54c27b2c393c…
	https://git.kernel.org/stable/c/b5df9e06eed3df6a4…
	https://git.kernel.org/stable/c/5aea2cde03d4247cd…
	https://git.kernel.org/stable/c/f3f3a8eb3f0ba799f…
	https://git.kernel.org/stable/c/32b415a9dc2c212e8…

Impacted products

Vendor

Product

Version

Linux

Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < e58559845021c3bad5e094219378b869157fad53 (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 54d458b244893e47bda52ec3943fdfbc8d7d068b (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173 (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < a3abb54c27b2c393c44362399777ad2f6e1ff17e (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < b5df9e06eed3df6a4f5c6f8453013b0cabb927b4 (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0 (git)
Affected: 8ce75f8ab9044fe11caaaf2b2c82471023212f9f , < 32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af (git)

Linux

Affected: 4.3
Unaffected: 0 , < 4.3 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e58559845021c3bad5e094219378b869157fad53",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "54d458b244893e47bda52ec3943fdfbc8d7d068b",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "a3abb54c27b2c393c44362399777ad2f6e1ff17e",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "b5df9e06eed3df6a4f5c6f8453013b0cabb927b4",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            },
            {
              "lessThan": "32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af",
              "status": "affected",
              "version": "8ce75f8ab9044fe11caaaf2b2c82471023212f9f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.3"
            },
            {
              "lessThan": "4.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE\n\nThis data originates from userspace and is used in buffer offset\ncalculations which could potentially overflow causing an out-of-bounds\naccess."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:51:00.437Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e58559845021c3bad5e094219378b869157fad53"
        },
        {
          "url": "https://git.kernel.org/stable/c/54d458b244893e47bda52ec3943fdfbc8d7d068b"
        },
        {
          "url": "https://git.kernel.org/stable/c/709e5c088f9c99a5cf2c1d1c6ce58f2cca7ab173"
        },
        {
          "url": "https://git.kernel.org/stable/c/a3abb54c27b2c393c44362399777ad2f6e1ff17e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5df9e06eed3df6a4f5c6f8453013b0cabb927b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5aea2cde03d4247cdcf53f9ab7d0747c9dca1cfc"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3f3a8eb3f0ba799fae057091d8c67cca12d6fa0"
        },
        {
          "url": "https://git.kernel.org/stable/c/32b415a9dc2c212e809b7ebc2b14bc3fbda2b9af"
        }
      ],
      "title": "drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40277",
    "datePublished": "2025-12-06T21:51:00.437Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-06T21:51:00.437Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68750 (GCVE-0-2025-68750)

Vulnerability from cvelistv5 – Published: 2025-12-24 15:51 – Updated: 2026-01-02 15:35

Title

usb: potential integer overflow in usbg_make_tpg()

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: potential integer overflow in usbg_make_tpg() The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt. I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the relevant code accordingly. This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential memory corruption").

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0861b9cb2ff519b7c…
	https://git.kernel.org/stable/c/603a83e5fee38a950…
	https://git.kernel.org/stable/c/6f77e344515b5258e…
	https://git.kernel.org/stable/c/6722e080b5b39ab74…
	https://git.kernel.org/stable/c/a33f507f36d5881f6…
	https://git.kernel.org/stable/c/358d5ba08f1609c34…
	https://git.kernel.org/stable/c/620a5e1e84a3a7004…
	https://git.kernel.org/stable/c/153874010354d050f…

Impacted products

Vendor

Product

Version

Linux

Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24 (git)
Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 603a83e5fee38a950bfcfb2f36449311fa00a474 (git)
Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 6f77e344515b5258edb3988188311464209b1c7c (git)
Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 6722e080b5b39ab7471386c73d0c1b39572f943c (git)
Affected: c52661d60f636d17e26ad834457db333bd1df494 , < a33f507f36d5881f602dab581ab0f8d22b49762c (git)
Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 358d5ba08f1609c34a054aed88c431844d09705a (git)
Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 620a5e1e84a3a7004270703a118d33eeb1c0f368 (git)
Affected: c52661d60f636d17e26ad834457db333bd1df494 , < 153874010354d050f62f8ae25cbb960c17633dc5 (git)

Linux

Affected: 3.5
Unaffected: 0 , < 3.5 (semver)
Unaffected: 5.4.296 , ≤ 5.4.* (semver)
Unaffected: 5.10.240 , ≤ 5.10.* (semver)
Unaffected: 5.15.187 , ≤ 5.15.* (semver)
Unaffected: 6.1.143 , ≤ 6.1.* (semver)
Unaffected: 6.6.96 , ≤ 6.6.* (semver)
Unaffected: 6.12.36 , ≤ 6.12.* (semver)
Unaffected: 6.15.5 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_tcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24",
              "status": "affected",
              "version": "c52661d60f636d17e26ad834457db333bd1df494",
              "versionType": "git"
            },
            {
              "lessThan": "603a83e5fee38a950bfcfb2f36449311fa00a474",
              "status": "affected",
              "version": "c52661d60f636d17e26ad834457db333bd1df494",
              "versionType": "git"
            },
            {
              "lessThan": "6f77e344515b5258edb3988188311464209b1c7c",
              "status": "affected",
              "version": "c52661d60f636d17e26ad834457db333bd1df494",
              "versionType": "git"
            },
            {
              "lessThan": "6722e080b5b39ab7471386c73d0c1b39572f943c",
              "status": "affected",
              "version": "c52661d60f636d17e26ad834457db333bd1df494",
              "versionType": "git"
            },
            {
              "lessThan": "a33f507f36d5881f602dab581ab0f8d22b49762c",
              "status": "affected",
              "version": "c52661d60f636d17e26ad834457db333bd1df494",
              "versionType": "git"
            },
            {
              "lessThan": "358d5ba08f1609c34a054aed88c431844d09705a",
              "status": "affected",
              "version": "c52661d60f636d17e26ad834457db333bd1df494",
              "versionType": "git"
            },
            {
              "lessThan": "620a5e1e84a3a7004270703a118d33eeb1c0f368",
              "status": "affected",
              "version": "c52661d60f636d17e26ad834457db333bd1df494",
              "versionType": "git"
            },
            {
              "lessThan": "153874010354d050f62f8ae25cbb960c17633dc5",
              "status": "affected",
              "version": "c52661d60f636d17e26ad834457db333bd1df494",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/function/f_tcm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.240",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.187",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.96",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.36",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.296",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.240",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.187",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.143",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.96",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.36",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.5",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: potential integer overflow in usbg_make_tpg()\n\nThe variable tpgt in usbg_make_tpg() is defined as unsigned long and is\nassigned to tpgt-\u003etport_tpgt, which is defined as u16. This may cause an\ninteger overflow when tpgt is greater than USHRT_MAX (65535). I\nhaven\u0027t tried to trigger it myself, but it is possible to trigger it\nby calling usbg_make_tpg() with a large value for tpgt.\n\nI modified the type of tpgt to match tpgt-\u003etport_tpgt and adjusted the\nrelevant code accordingly.\n\nThis patch is similar to commit 59c816c1f24d (\"vhost/scsi: potential\nmemory corruption\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:35:14.366Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24"
        },
        {
          "url": "https://git.kernel.org/stable/c/603a83e5fee38a950bfcfb2f36449311fa00a474"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f77e344515b5258edb3988188311464209b1c7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6722e080b5b39ab7471386c73d0c1b39572f943c"
        },
        {
          "url": "https://git.kernel.org/stable/c/a33f507f36d5881f602dab581ab0f8d22b49762c"
        },
        {
          "url": "https://git.kernel.org/stable/c/358d5ba08f1609c34a054aed88c431844d09705a"
        },
        {
          "url": "https://git.kernel.org/stable/c/620a5e1e84a3a7004270703a118d33eeb1c0f368"
        },
        {
          "url": "https://git.kernel.org/stable/c/153874010354d050f62f8ae25cbb960c17633dc5"
        }
      ],
      "title": "usb: potential integer overflow in usbg_make_tpg()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68750",
    "datePublished": "2025-12-24T15:51:03.141Z",
    "dateReserved": "2025-12-24T10:30:51.032Z",
    "dateUpdated": "2026-01-02T15:35:14.366Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2021-47633 (GCVE-0-2021-47633)

Vulnerability from cvelistv5 – Published: 2025-02-26 01:54 – Updated: 2025-05-21 08:31

Title

ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111

Summary

In the Linux kernel, the following vulnerability has been resolved: ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111 The bug was found during fuzzing. Stacktrace locates it in ath5k_eeprom_convert_pcal_info_5111. When none of the curve is selected in the loop, idx can go up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound. pd = &chinfo[pier].pd_curves[idx]; There are many OOB writes using pd later in the code. So I added a sanity check for idx. Checks for other loops involving AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not used outside the loops. The patch is NOT tested with real device. The following is the fuzzing report BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] Write of size 1 at addr ffff8880174a4d60 by task modprobe/214 CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] __kasan_report.cold+0x37/0x7c ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] kasan_report+0xe/0x20 ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k] ath5k_eeprom_init+0x2513/0x6290 [ath5k] ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? usleep_range+0xb8/0x100 ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k] ath5k_hw_init+0xb60/0x1970 [ath5k] ath5k_init_ah+0x6fe/0x2530 [ath5k] ? kasprintf+0xa6/0xe0 ? ath5k_stop+0x140/0x140 [ath5k] ? _dev_notice+0xf6/0xf6 ? apic_timer_interrupt+0xa/0x20 ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k] ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] ? mutex_lock+0x89/0xd0 ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] local_pci_probe+0xd3/0x160 pci_device_probe+0x23f/0x3e0 ? pci_device_remove+0x280/0x280 ? pci_device_remove+0x280/0x280 really_probe+0x209/0x5d0

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f4de974019a0adf34…
	https://git.kernel.org/stable/c/ed3dfdaa8b5f0579e…
	https://git.kernel.org/stable/c/25efc5d03455c3839…
	https://git.kernel.org/stable/c/c4e2f577271e158d8…
	https://git.kernel.org/stable/c/9d7d83d0399e23d66…
	https://git.kernel.org/stable/c/be2f81024e7981565…
	https://git.kernel.org/stable/c/fc8f7752a82f4accb…
	https://git.kernel.org/stable/c/cbd96d6cad6625feb…
	https://git.kernel.org/stable/c/564d4eceb97eaf381…

Impacted products

Vendor

Product

Version

Linux

Affected: 8e218fb24faef0bfe95bc91b3c05261e20439527 , < f4de974019a0adf34d0e7de6b86252f1bd266b06 (git)
Affected: 8e218fb24faef0bfe95bc91b3c05261e20439527 , < ed3dfdaa8b5f0579eabfc1c5818eed30cfe1fe84 (git)
Affected: 8e218fb24faef0bfe95bc91b3c05261e20439527 , < 25efc5d03455c3839249bc77fce5e29ecb54677e (git)
Affected: 8e218fb24faef0bfe95bc91b3c05261e20439527 , < c4e2f577271e158d87a916afb4e87415a88ce856 (git)
Affected: 8e218fb24faef0bfe95bc91b3c05261e20439527 , < 9d7d83d0399e23d66fd431b553842a84ac10398f (git)
Affected: 8e218fb24faef0bfe95bc91b3c05261e20439527 , < be2f81024e7981565d90a4c9ca3067d11b6bca7f (git)
Affected: 8e218fb24faef0bfe95bc91b3c05261e20439527 , < fc8f7752a82f4accb99c0f1a868906ba1eb7b86f (git)
Affected: 8e218fb24faef0bfe95bc91b3c05261e20439527 , < cbd96d6cad6625feba9c8d101ed4977d53e82f8e (git)
Affected: 8e218fb24faef0bfe95bc91b3c05261e20439527 , < 564d4eceb97eaf381dd6ef6470b06377bb50c95a (git)

Linux

Affected: 2.6.30
Unaffected: 0 , < 2.6.30 (semver)
Unaffected: 4.9.311 , ≤ 4.9.* (semver)
Unaffected: 4.14.276 , ≤ 4.14.* (semver)
Unaffected: 4.19.238 , ≤ 4.19.* (semver)
Unaffected: 5.4.189 , ≤ 5.4.* (semver)
Unaffected: 5.10.111 , ≤ 5.10.* (semver)
Unaffected: 5.15.34 , ≤ 5.15.* (semver)
Unaffected: 5.16.20 , ≤ 5.16.* (semver)
Unaffected: 5.17.3 , ≤ 5.17.* (semver)
Unaffected: 5.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath5k/eeprom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f4de974019a0adf34d0e7de6b86252f1bd266b06",
              "status": "affected",
              "version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
              "versionType": "git"
            },
            {
              "lessThan": "ed3dfdaa8b5f0579eabfc1c5818eed30cfe1fe84",
              "status": "affected",
              "version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
              "versionType": "git"
            },
            {
              "lessThan": "25efc5d03455c3839249bc77fce5e29ecb54677e",
              "status": "affected",
              "version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
              "versionType": "git"
            },
            {
              "lessThan": "c4e2f577271e158d87a916afb4e87415a88ce856",
              "status": "affected",
              "version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
              "versionType": "git"
            },
            {
              "lessThan": "9d7d83d0399e23d66fd431b553842a84ac10398f",
              "status": "affected",
              "version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
              "versionType": "git"
            },
            {
              "lessThan": "be2f81024e7981565d90a4c9ca3067d11b6bca7f",
              "status": "affected",
              "version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
              "versionType": "git"
            },
            {
              "lessThan": "fc8f7752a82f4accb99c0f1a868906ba1eb7b86f",
              "status": "affected",
              "version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
              "versionType": "git"
            },
            {
              "lessThan": "cbd96d6cad6625feba9c8d101ed4977d53e82f8e",
              "status": "affected",
              "version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
              "versionType": "git"
            },
            {
              "lessThan": "564d4eceb97eaf381dd6ef6470b06377bb50c95a",
              "status": "affected",
              "version": "8e218fb24faef0bfe95bc91b3c05261e20439527",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath5k/eeprom.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.311",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.276",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.189",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.111",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.311",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.276",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.238",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.189",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.111",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.34",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.20",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.3",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111\n\nThe bug was found during fuzzing. Stacktrace locates it in\nath5k_eeprom_convert_pcal_info_5111.\nWhen none of the curve is selected in the loop, idx can go\nup to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound.\npd = \u0026chinfo[pier].pd_curves[idx];\n\nThere are many OOB writes using pd later in the code. So I\nadded a sanity check for idx. Checks for other loops involving\nAR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not\nused outside the loops.\n\nThe patch is NOT tested with real device.\n\nThe following is the fuzzing report\n\nBUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\nWrite of size 1 at addr ffff8880174a4d60 by task modprobe/214\n\nCPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1\nCall Trace:\n dump_stack+0x76/0xa0\n print_address_description.constprop.0+0x16/0x200\n ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n __kasan_report.cold+0x37/0x7c\n ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n kasan_report+0xe/0x20\n ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k]\n ? apic_timer_interrupt+0xa/0x20\n ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]\n ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k]\n ath5k_eeprom_init+0x2513/0x6290 [ath5k]\n ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k]\n ? usleep_range+0xb8/0x100\n ? apic_timer_interrupt+0xa/0x20\n ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k]\n ath5k_hw_init+0xb60/0x1970 [ath5k]\n ath5k_init_ah+0x6fe/0x2530 [ath5k]\n ? kasprintf+0xa6/0xe0\n ? ath5k_stop+0x140/0x140 [ath5k]\n ? _dev_notice+0xf6/0xf6\n ? apic_timer_interrupt+0xa/0x20\n ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k]\n ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]\n ? mutex_lock+0x89/0xd0\n ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k]\n local_pci_probe+0xd3/0x160\n pci_device_probe+0x23f/0x3e0\n ? pci_device_remove+0x280/0x280\n ? pci_device_remove+0x280/0x280\n really_probe+0x209/0x5d0"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-21T08:31:54.292Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f4de974019a0adf34d0e7de6b86252f1bd266b06"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed3dfdaa8b5f0579eabfc1c5818eed30cfe1fe84"
        },
        {
          "url": "https://git.kernel.org/stable/c/25efc5d03455c3839249bc77fce5e29ecb54677e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4e2f577271e158d87a916afb4e87415a88ce856"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d7d83d0399e23d66fd431b553842a84ac10398f"
        },
        {
          "url": "https://git.kernel.org/stable/c/be2f81024e7981565d90a4c9ca3067d11b6bca7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/fc8f7752a82f4accb99c0f1a868906ba1eb7b86f"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbd96d6cad6625feba9c8d101ed4977d53e82f8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/564d4eceb97eaf381dd6ef6470b06377bb50c95a"
        }
      ],
      "title": "ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47633",
    "datePublished": "2025-02-26T01:54:08.651Z",
    "dateReserved": "2025-02-26T01:48:21.518Z",
    "dateUpdated": "2025-05-21T08:31:54.292Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-53761 (GCVE-0-2023-53761)

Vulnerability from cvelistv5 – Published: 2025-12-08 01:19 – Updated: 2026-01-05 10:32

Title

USB: usbtmc: Fix direction for 0-length ioctl control messages

Summary

In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Fix direction for 0-length ioctl control messages The syzbot fuzzer found a problem in the usbtmc driver: When a user submits an ioctl for a 0-length control transfer, the driver does not check that the direction is set to OUT: ------------[ cut here ]------------ usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Modules linked in: CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411 Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41 RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000 RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001 RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528 R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100 FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153 usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline] usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097 To fix this, we must override the direction in the bRequestType field of the control request structure when the length is 0.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7cef7681aa7719ff5…
	https://git.kernel.org/stable/c/6340e432cf70bf156…
	https://git.kernel.org/stable/c/3b43d9df27a708f40…
	https://git.kernel.org/stable/c/0ced12bdf624d8d89…
	https://git.kernel.org/stable/c/50775a046c68e1d15…
	https://git.kernel.org/stable/c/94d25e9128988c6a1…

Impacted products

Vendor

Product

Version

Linux

Affected: 658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 7cef7681aa7719ff585dd06113a061ab2def7da0 (git)
Affected: 658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 6340e432cf70bf156b19c6f5dd737d940eca02a3 (git)
Affected: 658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 3b43d9df27a708f4079d518b879f517fea150a91 (git)
Affected: 658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 0ced12bdf624d8d8977ddb16eb130cd479d92bcf (git)
Affected: 658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 50775a046c68e1d157d5e413cae2e5e00da1c463 (git)
Affected: 658f24f4523e41cda6a389c38b763f4c0cad6fbc , < 94d25e9128988c6a1fc9070f6e98215a95795bd8 (git)

Linux

Affected: 4.20
Unaffected: 0 , < 4.20 (semver)
Unaffected: 5.4.244 , ≤ 5.4.* (semver)
Unaffected: 5.10.181 , ≤ 5.10.* (semver)
Unaffected: 5.15.113 , ≤ 5.15.* (semver)
Unaffected: 6.1.30 , ≤ 6.1.* (semver)
Unaffected: 6.3.4 , ≤ 6.3.* (semver)
Unaffected: 6.4 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/class/usbtmc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7cef7681aa7719ff585dd06113a061ab2def7da0",
              "status": "affected",
              "version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
              "versionType": "git"
            },
            {
              "lessThan": "6340e432cf70bf156b19c6f5dd737d940eca02a3",
              "status": "affected",
              "version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
              "versionType": "git"
            },
            {
              "lessThan": "3b43d9df27a708f4079d518b879f517fea150a91",
              "status": "affected",
              "version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
              "versionType": "git"
            },
            {
              "lessThan": "0ced12bdf624d8d8977ddb16eb130cd479d92bcf",
              "status": "affected",
              "version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
              "versionType": "git"
            },
            {
              "lessThan": "50775a046c68e1d157d5e413cae2e5e00da1c463",
              "status": "affected",
              "version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
              "versionType": "git"
            },
            {
              "lessThan": "94d25e9128988c6a1fc9070f6e98215a95795bd8",
              "status": "affected",
              "version": "658f24f4523e41cda6a389c38b763f4c0cad6fbc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/class/usbtmc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.244",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.*",
              "status": "unaffected",
              "version": "6.3.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.4",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.244",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.181",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.113",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.30",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3.4",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usbtmc: Fix direction for 0-length ioctl control messages\n\nThe syzbot fuzzer found a problem in the usbtmc driver: When a user\nsubmits an ioctl for a 0-length control transfer, the driver does not\ncheck that the direction is set to OUT:\n\n------------[ cut here ]------------\nusb 3-1: BOGUS control dir, pipe 80000b80 doesn\u0027t match bRequestType fd\nWARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nModules linked in:\nCPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023\nRIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411\nCode: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb \u003c0f\u003e 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41\nRSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282\nRAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000\nRDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001\nRBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528\nR13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100\nFS:  0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58\n usb_internal_control_msg drivers/usb/core/message.c:102 [inline]\n usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153\n usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline]\n usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097\n\nTo fix this, we must override the direction in the bRequestType field\nof the control request structure when the length is 0."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:32:46.948Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7cef7681aa7719ff585dd06113a061ab2def7da0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6340e432cf70bf156b19c6f5dd737d940eca02a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b43d9df27a708f4079d518b879f517fea150a91"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ced12bdf624d8d8977ddb16eb130cd479d92bcf"
        },
        {
          "url": "https://git.kernel.org/stable/c/50775a046c68e1d157d5e413cae2e5e00da1c463"
        },
        {
          "url": "https://git.kernel.org/stable/c/94d25e9128988c6a1fc9070f6e98215a95795bd8"
        }
      ],
      "title": "USB: usbtmc: Fix direction for 0-length ioctl control messages",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53761",
    "datePublished": "2025-12-08T01:19:22.571Z",
    "dateReserved": "2025-12-08T01:18:04.280Z",
    "dateUpdated": "2026-01-05T10:32:46.948Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-4132 (GCVE-0-2023-4132)

Vulnerability from cvelistv5 – Published: 2023-08-03 14:32 – Updated: 2025-11-07 13:03

Title

Kernel: smsusb: use-after-free caused by do_submit_urb()

Summary

A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-416 - Use After Free

Assigner

redhat

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2023:6901	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:7077	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:0575	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2024:0724	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2023-4132	vdb-entryx_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2221707	issue-trackingx_refsource_REDHAT

Impacted products

Vendor

Product

Version

Red Hat

Red Hat Enterprise Linux 8

Unaffected: 0:4.18.0-513.5.1.rt7.307.el8_9 , < * (rpm)
cpe:/a:redhat:enterprise_linux:8::nfv
cpe:/a:redhat:enterprise_linux:8::realtime

Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:4.18.0-513.5.1.el8_9 , < * (rpm) cpe:/a:redhat:enterprise_linux:8::crb cpe:/o:redhat:enterprise_linux:8::baseos
Red Hat	Red Hat Enterprise Linux 8.6 Extended Update Support	Unaffected: 0:4.18.0-372.91.1.el8_6 , < * (rpm) cpe:/a:redhat:rhel_eus:8.6::crb cpe:/o:redhat:rhel_eus:8.6::baseos cpe:/o:redhat:rhev_hypervisor:4.4::el8
Red Hat	Red Hat Enterprise Linux 8.8 Extended Update Support	Unaffected: 0:4.18.0-477.43.1.el8_8 , < * (rpm) cpe:/a:redhat:rhel_eus:8.8::crb cpe:/o:redhat:rhel_eus:8.8::baseos
Red Hat	Red Hat Virtualization 4 for Red Hat Enterprise Linux 8	Unaffected: 0:4.18.0-372.91.1.el8_6 , < * (rpm) cpe:/a:redhat:rhel_eus:8.6::crb cpe:/o:redhat:rhel_eus:8.6::baseos cpe:/o:redhat:rhev_hypervisor:4.4::el8
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9

Credits

Red Hat would like to thank Duoming Zhou for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4132",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-25T15:30:20.281573Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:27:22.320Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:17:12.143Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:6901",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:6901"
          },
          {
            "name": "RHSA-2023:7077",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7077"
          },
          {
            "name": "RHSA-2024:0575",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0575"
          },
          {
            "name": "RHSA-2024:0724",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0724"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-4132"
          },
          {
            "name": "RHBZ#2221707",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221707"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231020-0005/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5480"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5492"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:8::nfv",
            "cpe:/a:redhat:enterprise_linux:8::realtime"
          ],
          "defaultStatus": "affected",
          "packageName": "kernel-rt",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.18.0-513.5.1.rt7.307.el8_9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:8::crb",
            "cpe:/o:redhat:enterprise_linux:8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "kernel",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.18.0-513.5.1.el8_9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:8.6::crb",
            "cpe:/o:redhat:rhel_eus:8.6::baseos",
            "cpe:/o:redhat:rhev_hypervisor:4.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "kernel",
          "product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.18.0-372.91.1.el8_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:8.8::crb",
            "cpe:/o:redhat:rhel_eus:8.8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "kernel",
          "product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.18.0-477.43.1.el8_8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:8.6::crb",
            "cpe:/o:redhat:rhel_eus:8.6::baseos",
            "cpe:/o:redhat:rhev_hypervisor:4.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "kernel",
          "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.18.0-372.91.1.el8_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "kernel",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "kernel",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "kernel-rt",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "kernel",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "kernel-rt",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Duoming Zhou for reporting this issue."
        }
      ],
      "datePublic": "2023-02-08T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-07T13:03:42.247Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:6901",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:6901"
        },
        {
          "name": "RHSA-2023:7077",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7077"
        },
        {
          "name": "RHSA-2024:0575",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0575"
        },
        {
          "name": "RHSA-2024:0724",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0724"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-4132"
        },
        {
          "name": "RHBZ#2221707",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221707"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-07-10T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-02-08T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Kernel: smsusb: use-after-free caused by do_submit_urb()",
      "x_redhatCweChain": "CWE-416: Use After Free"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-4132",
    "datePublished": "2023-08-03T14:32:15.246Z",
    "dateReserved": "2023-08-03T08:51:00.805Z",
    "dateUpdated": "2025-11-07T13:03:42.247Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68331 (GCVE-0-2025-68331)

Vulnerability from cvelistv5 – Published: 2025-12-22 16:12 – Updated: 2025-12-22 16:14

Title

usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer When a UAS device is unplugged during data transfer, there is a probability of a system panic occurring. The root cause is an access to an invalid memory address during URB callback handling. Specifically, this happens when the dma_direct_unmap_sg() function is called within the usb_hcd_unmap_urb_for_dma() interface, but the sg->dma_address field is 0 and the sg data structure has already been freed. The SCSI driver sends transfer commands by invoking uas_queuecommand_lck() in uas.c, using the uas_submit_urbs() function to submit requests to USB. Within the uas_submit_urbs() implementation, three URBs (sense_urb, data_urb, and cmd_urb) are sequentially submitted. Device removal may occur at any point during uas_submit_urbs execution, which may result in URB submission failure. However, some URBs might have been successfully submitted before the failure, and uas_submit_urbs will return the -ENODEV error code in this case. The current error handling directly calls scsi_done(). In the SCSI driver, this eventually triggers scsi_complete() to invoke scsi_end_request() for releasing the sgtable. The successfully submitted URBs, when being unlinked to giveback, call usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg unmapping operations since the sg data structure has already been freed. This patch modifies the error condition check in the uas_submit_urbs() function. When a UAS device is removed but one or more URBs have already been successfully submitted to USB, it avoids immediately invoking scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully submitted URBs is completed before devinfo->resetting being set, then the scsi_done() function will be called within uas_try_complete() after all pending URB operations are finalized. Otherwise, the scsi_done() function will be called within uas_zap_pending(), which is executed after usb_kill_anchored_urbs(). The error handling only takes effect when uas_queuecommand_lck() calls uas_submit_urbs() and returns the error value -ENODEV . In this case, the device is disconnected, and the flow proceeds to uas_disconnect(), where uas_zap_pending() is invoked to call uas_try_complete().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6289fc489e94c9beb…
	https://git.kernel.org/stable/c/66ac05e7b0d6bbd1b…
	https://git.kernel.org/stable/c/75f8e2643085db4f7…
	https://git.kernel.org/stable/c/e3a55221f4de080cb…
	https://git.kernel.org/stable/c/2b90a8131c83f6f2b…
	https://git.kernel.org/stable/c/426edbfc88b22601e…
	https://git.kernel.org/stable/c/26d56a9fcb2014b99…

Impacted products

Vendor

Product

Version

Linux

Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 6289fc489e94c9beb6be2b502ccc263663733d72 (git)
Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17 (git)
Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 75f8e2643085db4f7e136fc6b368eb114dd80a64 (git)
Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < e3a55221f4de080cb7a91ba10f01c4f708603f8d (git)
Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 2b90a8131c83f6f2be69397d2b7d14d217d95d2f (git)
Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 426edbfc88b22601ea34a441a469092e7b301c52 (git)
Affected: eb2a86ae8c544be0ab04aa8169390c0669bc7148 , < 26d56a9fcb2014b99e654127960aa0a48a391e3c (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/storage/uas.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6289fc489e94c9beb6be2b502ccc263663733d72",
              "status": "affected",
              "version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
              "versionType": "git"
            },
            {
              "lessThan": "66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17",
              "status": "affected",
              "version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
              "versionType": "git"
            },
            {
              "lessThan": "75f8e2643085db4f7e136fc6b368eb114dd80a64",
              "status": "affected",
              "version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
              "versionType": "git"
            },
            {
              "lessThan": "e3a55221f4de080cb7a91ba10f01c4f708603f8d",
              "status": "affected",
              "version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
              "versionType": "git"
            },
            {
              "lessThan": "2b90a8131c83f6f2be69397d2b7d14d217d95d2f",
              "status": "affected",
              "version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
              "versionType": "git"
            },
            {
              "lessThan": "426edbfc88b22601ea34a441a469092e7b301c52",
              "status": "affected",
              "version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
              "versionType": "git"
            },
            {
              "lessThan": "26d56a9fcb2014b99e654127960aa0a48a391e3c",
              "status": "affected",
              "version": "eb2a86ae8c544be0ab04aa8169390c0669bc7148",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/storage/uas.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer\n\nWhen a UAS device is unplugged during data transfer, there is\na probability of a system panic occurring. The root cause is\nan access to an invalid memory address during URB callback handling.\nSpecifically, this happens when the dma_direct_unmap_sg() function\nis called within the usb_hcd_unmap_urb_for_dma() interface, but the\nsg-\u003edma_address field is 0 and the sg data structure has already been\nfreed.\n\nThe SCSI driver sends transfer commands by invoking uas_queuecommand_lck()\nin uas.c, using the uas_submit_urbs() function to submit requests to USB.\nWithin the uas_submit_urbs() implementation, three URBs (sense_urb,\ndata_urb, and cmd_urb) are sequentially submitted. Device removal may\noccur at any point during uas_submit_urbs execution, which may result\nin URB submission failure. However, some URBs might have been successfully\nsubmitted before the failure, and uas_submit_urbs will return the -ENODEV\nerror code in this case. The current error handling directly calls\nscsi_done(). In the SCSI driver, this eventually triggers scsi_complete()\nto invoke scsi_end_request() for releasing the sgtable. The successfully\nsubmitted URBs, when being unlinked to giveback, call\nusb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg\nunmapping operations since the sg data structure has already been freed.\n\nThis patch modifies the error condition check in the uas_submit_urbs()\nfunction. When a UAS device is removed but one or more URBs have already\nbeen successfully submitted to USB, it avoids immediately invoking\nscsi_done() and save the cmnd to devinfo-\u003ecmnd array. If the successfully\nsubmitted URBs is completed before devinfo-\u003eresetting being set, then\nthe scsi_done() function will be called within uas_try_complete() after\nall pending URB operations are finalized. Otherwise, the scsi_done()\nfunction will be called within uas_zap_pending(), which is executed after\nusb_kill_anchored_urbs().\n\nThe error handling only takes effect when uas_queuecommand_lck() calls\nuas_submit_urbs() and returns the error value -ENODEV . In this case,\nthe device is disconnected, and the flow proceeds to uas_disconnect(),\nwhere uas_zap_pending() is invoked to call uas_try_complete()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-22T16:14:09.243Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6289fc489e94c9beb6be2b502ccc263663733d72"
        },
        {
          "url": "https://git.kernel.org/stable/c/66ac05e7b0d6bbd1bee9fcf729e20fd4cce86d17"
        },
        {
          "url": "https://git.kernel.org/stable/c/75f8e2643085db4f7e136fc6b368eb114dd80a64"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3a55221f4de080cb7a91ba10f01c4f708603f8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b90a8131c83f6f2be69397d2b7d14d217d95d2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/426edbfc88b22601ea34a441a469092e7b301c52"
        },
        {
          "url": "https://git.kernel.org/stable/c/26d56a9fcb2014b99e654127960aa0a48a391e3c"
        }
      ],
      "title": "usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68331",
    "datePublished": "2025-12-22T16:12:24.607Z",
    "dateReserved": "2025-12-16T14:48:05.296Z",
    "dateUpdated": "2025-12-22T16:14:09.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50814 (GCVE-0-2022-50814)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:08 – Updated: 2025-12-30 12:08

Title

crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr

Summary

In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr KASAN reported this Bug: [17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60 [17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958 ... [17619.698934] The buggy address belongs to the variable: [17619.708371] sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip] There is a mismatch in hisi_zip when get/set the variable sgl_sge_nr. The type of sgl_sge_nr is u16, and get/set sgl_sge_nr by param_get/set_int. Replacing param_get/set_int to param_get/set_ushort can fix this bug.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d88b88514ef28515c…
	https://git.kernel.org/stable/c/272093471305261c4…
	https://git.kernel.org/stable/c/f8a983d6e01b19832…
	https://git.kernel.org/stable/c/5eaebd19fbb0e26e7…
	https://git.kernel.org/stable/c/d74f9340097a88186…

Impacted products

Vendor

Product

Version

Linux

Affected: f081fda293ffba54216a7dab66faba7275475006 , < d88b88514ef28515ccfa1f1787c2aedef75a79dd (git)
Affected: f081fda293ffba54216a7dab66faba7275475006 , < 272093471305261c4e07a2fc97c2d1e53cd56819 (git)
Affected: f081fda293ffba54216a7dab66faba7275475006 , < f8a983d6e01b198320d310cb1326364d7d973b2a (git)
Affected: f081fda293ffba54216a7dab66faba7275475006 , < 5eaebd19fbb0e26e73a34f55d3b1dc310df0eb15 (git)
Affected: f081fda293ffba54216a7dab66faba7275475006 , < d74f9340097a881869c4c22ca376654cc2516ecc (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/hisilicon/zip/zip_crypto.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d88b88514ef28515ccfa1f1787c2aedef75a79dd",
              "status": "affected",
              "version": "f081fda293ffba54216a7dab66faba7275475006",
              "versionType": "git"
            },
            {
              "lessThan": "272093471305261c4e07a2fc97c2d1e53cd56819",
              "status": "affected",
              "version": "f081fda293ffba54216a7dab66faba7275475006",
              "versionType": "git"
            },
            {
              "lessThan": "f8a983d6e01b198320d310cb1326364d7d973b2a",
              "status": "affected",
              "version": "f081fda293ffba54216a7dab66faba7275475006",
              "versionType": "git"
            },
            {
              "lessThan": "5eaebd19fbb0e26e73a34f55d3b1dc310df0eb15",
              "status": "affected",
              "version": "f081fda293ffba54216a7dab66faba7275475006",
              "versionType": "git"
            },
            {
              "lessThan": "d74f9340097a881869c4c22ca376654cc2516ecc",
              "status": "affected",
              "version": "f081fda293ffba54216a7dab66faba7275475006",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/crypto/hisilicon/zip/zip_crypto.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr\n\nKASAN reported this Bug:\n\n\t[17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60\n\t[17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958\n\t...\n\t[17619.698934] The buggy address belongs to the variable:\n\t[17619.708371]  sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip]\n\nThere is a mismatch in hisi_zip when get/set the variable sgl_sge_nr.\nThe type of sgl_sge_nr is u16, and get/set sgl_sge_nr by\nparam_get/set_int.\n\nReplacing param_get/set_int to param_get/set_ushort can fix this bug."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:08:30.862Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d88b88514ef28515ccfa1f1787c2aedef75a79dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/272093471305261c4e07a2fc97c2d1e53cd56819"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8a983d6e01b198320d310cb1326364d7d973b2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5eaebd19fbb0e26e73a34f55d3b1dc310df0eb15"
        },
        {
          "url": "https://git.kernel.org/stable/c/d74f9340097a881869c4c22ca376654cc2516ecc"
        }
      ],
      "title": "crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50814",
    "datePublished": "2025-12-30T12:08:30.862Z",
    "dateReserved": "2025-12-30T12:06:07.130Z",
    "dateUpdated": "2025-12-30T12:08:30.862Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40218 (GCVE-0-2025-40218)

Vulnerability from cvelistv5 – Published: 2025-12-04 14:50 – Updated: 2025-12-04 14:50

Title

mm/damon/vaddr: do not repeat pte_offset_map_lock() until success

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success DAMON's virtual address space operation set implementation (vaddr) calls pte_offset_map_lock() inside the page table walk callback function. This is for reading and writing page table accessed bits. If pte_offset_map_lock() fails, it retries by returning the page table walk callback function with ACTION_AGAIN. pte_offset_map_lock() can continuously fail if the target is a pmd migration entry, though. Hence it could cause an infinite page table walk if the migration cannot be done until the page table walk is finished. This indeed caused a soft lockup when CPU hotplugging and DAMON were running in parallel. Avoid the infinite loop by simply not retrying the page table walk. DAMON is promising only a best-effort accuracy, so missing access to such pages is no problem.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/677ebfe5d00f94ade…
	https://git.kernel.org/stable/c/ac42320ec873bfe72…
	https://git.kernel.org/stable/c/0ccd91cf749536d41…
	https://git.kernel.org/stable/c/b93af2cc8e036754c…

Impacted products

Vendor

Product

Version

Linux

Affected: 7780d04046a2288ab85d88bedacc60fa4fad9971 , < 677ebfe5d00f94adec0c0204f6e6e2a82d3f77bf (git)
Affected: 7780d04046a2288ab85d88bedacc60fa4fad9971 , < ac42320ec873bfe726141069cfdd90ee5bc4e885 (git)
Affected: 7780d04046a2288ab85d88bedacc60fa4fad9971 , < 0ccd91cf749536d41307a07e60ec14ab0dbf21f5 (git)
Affected: 7780d04046a2288ab85d88bedacc60fa4fad9971 , < b93af2cc8e036754c0d9970d9ddc47f43cc94b9f (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.6.113 , ≤ 6.6.* (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/damon/vaddr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "677ebfe5d00f94adec0c0204f6e6e2a82d3f77bf",
              "status": "affected",
              "version": "7780d04046a2288ab85d88bedacc60fa4fad9971",
              "versionType": "git"
            },
            {
              "lessThan": "ac42320ec873bfe726141069cfdd90ee5bc4e885",
              "status": "affected",
              "version": "7780d04046a2288ab85d88bedacc60fa4fad9971",
              "versionType": "git"
            },
            {
              "lessThan": "0ccd91cf749536d41307a07e60ec14ab0dbf21f5",
              "status": "affected",
              "version": "7780d04046a2288ab85d88bedacc60fa4fad9971",
              "versionType": "git"
            },
            {
              "lessThan": "b93af2cc8e036754c0d9970d9ddc47f43cc94b9f",
              "status": "affected",
              "version": "7780d04046a2288ab85d88bedacc60fa4fad9971",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/damon/vaddr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/vaddr: do not repeat pte_offset_map_lock() until success\n\nDAMON\u0027s virtual address space operation set implementation (vaddr) calls\npte_offset_map_lock() inside the page table walk callback function.  This\nis for reading and writing page table accessed bits.  If\npte_offset_map_lock() fails, it retries by returning the page table walk\ncallback function with ACTION_AGAIN.\n\npte_offset_map_lock() can continuously fail if the target is a pmd\nmigration entry, though.  Hence it could cause an infinite page table walk\nif the migration cannot be done until the page table walk is finished. \nThis indeed caused a soft lockup when CPU hotplugging and DAMON were\nrunning in parallel.\n\nAvoid the infinite loop by simply not retrying the page table walk.  DAMON\nis promising only a best-effort accuracy, so missing access to such pages\nis no problem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T14:50:41.873Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/677ebfe5d00f94adec0c0204f6e6e2a82d3f77bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac42320ec873bfe726141069cfdd90ee5bc4e885"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ccd91cf749536d41307a07e60ec14ab0dbf21f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/b93af2cc8e036754c0d9970d9ddc47f43cc94b9f"
        }
      ],
      "title": "mm/damon/vaddr: do not repeat pte_offset_map_lock() until success",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40218",
    "datePublished": "2025-12-04T14:50:41.873Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2025-12-04T14:50:41.873Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38159 (GCVE-0-2025-38159)

Vulnerability from cvelistv5 – Published: 2025-07-03 08:36 – Updated: 2025-11-03 17:34

Title

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], &para[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1ee8ea6937d13b20f…
	https://git.kernel.org/stable/c/68a1037f0bac4de9a…
	https://git.kernel.org/stable/c/74e18211c2c89ab66…
	https://git.kernel.org/stable/c/c13255389499275bc…
	https://git.kernel.org/stable/c/9febcc8bded8be0d7…
	https://git.kernel.org/stable/c/4c2c372de2e108319…

Impacted products

Vendor

Product

Version

Linux

Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 1ee8ea6937d13b20f90ff35d71ccc03ba448182d (git)
Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 68a1037f0bac4de9a585aa9c879ef886109f3647 (git)
Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 74e18211c2c89ab66c9546baa7408288db61aa0d (git)
Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < c13255389499275bc5489a0b5b7940ccea3aef04 (git)
Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 9febcc8bded8be0d7efd8237fcef599b6d93b788 (git)
Affected: 4136214f7c46839c15f0f177fe1d5052302c0205 , < 4c2c372de2e108319236203cce6de44d70ae15cd (git)

Linux

Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.15.186 , ≤ 5.15.* (semver)
Unaffected: 6.1.142 , ≤ 6.1.* (semver)
Unaffected: 6.6.94 , ≤ 6.6.* (semver)
Unaffected: 6.12.34 , ≤ 6.12.* (semver)
Unaffected: 6.15.3 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:34:48.215Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw88/coex.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1ee8ea6937d13b20f90ff35d71ccc03ba448182d",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "68a1037f0bac4de9a585aa9c879ef886109f3647",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "74e18211c2c89ab66c9546baa7408288db61aa0d",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "c13255389499275bc5489a0b5b7940ccea3aef04",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "9febcc8bded8be0d7efd8237fcef599b6d93b788",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            },
            {
              "lessThan": "4c2c372de2e108319236203cce6de44d70ae15cd",
              "status": "affected",
              "version": "4136214f7c46839c15f0f177fe1d5052302c0205",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtw88/coex.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.186",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.142",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.94",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.34",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.186",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.142",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.94",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.34",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.3",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: fix the \u0027para\u0027 buffer size to avoid reading out of bounds\n\nSet the size to 6 instead of 2, since \u0027para\u0027 array is passed to\n\u0027rtw_fw_bt_wifi_control(rtwdev, para[0], \u0026para[1])\u0027, which reads\n5 bytes:\n\nvoid rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)\n{\n    ...\n    SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);\n    SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));\n    ...\n    SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));\n\nDetected using the static analysis tool - Svace."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:13:51.003Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1ee8ea6937d13b20f90ff35d71ccc03ba448182d"
        },
        {
          "url": "https://git.kernel.org/stable/c/68a1037f0bac4de9a585aa9c879ef886109f3647"
        },
        {
          "url": "https://git.kernel.org/stable/c/74e18211c2c89ab66c9546baa7408288db61aa0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c13255389499275bc5489a0b5b7940ccea3aef04"
        },
        {
          "url": "https://git.kernel.org/stable/c/9febcc8bded8be0d7efd8237fcef599b6d93b788"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c2c372de2e108319236203cce6de44d70ae15cd"
        }
      ],
      "title": "wifi: rtw88: fix the \u0027para\u0027 buffer size to avoid reading out of bounds",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38159",
    "datePublished": "2025-07-03T08:36:01.490Z",
    "dateReserved": "2025-04-16T04:51:23.990Z",
    "dateUpdated": "2025-11-03T17:34:48.215Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40350 (GCVE-0-2025-40350)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:30 – Updated: 2025-12-16 13:30

Title

net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ XDP programs can change the layout of an xdp_buff through bpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver cannot assume the size of the linear data area nor fragments. Fix the bug in mlx5 by generating skb according to xdp_buff after XDP programs run. Currently, when handling multi-buf XDP, the mlx5 driver assumes the layout of an xdp_buff to be unchanged. That is, the linear data area continues to be empty and fragments remain the same. This may cause the driver to generate erroneous skb or triggering a kernel warning. When an XDP program added linear data through bpf_xdp_adjust_head(), the linear data will be ignored as mlx5e_build_linear_skb() builds an skb without linear data and then pull data from fragments to fill the linear data area. When an XDP program has shrunk the non-linear data through bpf_xdp_adjust_tail(), the delta passed to __pskb_pull_tail() may exceed the actual nonlinear data size and trigger the BUG_ON in it. To fix the issue, first record the original number of fragments. If the number of fragments changes after the XDP program runs, rewind the end fragment pointer by the difference and recalculate the truesize. Then, build the skb with the linear data area matching the xdp_buff. Finally, only pull data in if there is non-linear data and fill the linear part up to 256 bytes.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8b051d7f530e8a523…
	https://git.kernel.org/stable/c/cb9edd583e23979ee…
	https://git.kernel.org/stable/c/f2557d7fa38e9475b…
	https://git.kernel.org/stable/c/87bcef158ac1faca1…

Impacted products

Vendor

Product

Version

Linux

Affected: f52ac7028bec22e925c8fece4f21641eb13b4d6f , < 8b051d7f530e8a5237da242fbeafef02fec6b813 (git)
Affected: f52ac7028bec22e925c8fece4f21641eb13b4d6f , < cb9edd583e23979ee546981be963ad5f217e8b18 (git)
Affected: f52ac7028bec22e925c8fece4f21641eb13b4d6f , < f2557d7fa38e9475b38588f5c124476091480f53 (git)
Affected: f52ac7028bec22e925c8fece4f21641eb13b4d6f , < 87bcef158ac1faca1bd7e0104588e8e2956d10be (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.115 , ≤ 6.6.* (semver)
Unaffected: 6.12.56 , ≤ 6.12.* (semver)
Unaffected: 6.17.6 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8b051d7f530e8a5237da242fbeafef02fec6b813",
              "status": "affected",
              "version": "f52ac7028bec22e925c8fece4f21641eb13b4d6f",
              "versionType": "git"
            },
            {
              "lessThan": "cb9edd583e23979ee546981be963ad5f217e8b18",
              "status": "affected",
              "version": "f52ac7028bec22e925c8fece4f21641eb13b4d6f",
              "versionType": "git"
            },
            {
              "lessThan": "f2557d7fa38e9475b38588f5c124476091480f53",
              "status": "affected",
              "version": "f52ac7028bec22e925c8fece4f21641eb13b4d6f",
              "versionType": "git"
            },
            {
              "lessThan": "87bcef158ac1faca1bd7e0104588e8e2956d10be",
              "status": "affected",
              "version": "f52ac7028bec22e925c8fece4f21641eb13b4d6f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en_rx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.115",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.115",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.56",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.6",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ\n\nXDP programs can change the layout of an xdp_buff through\nbpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver\ncannot assume the size of the linear data area nor fragments. Fix the\nbug in mlx5 by generating skb according to xdp_buff after XDP programs\nrun.\n\nCurrently, when handling multi-buf XDP, the mlx5 driver assumes the\nlayout of an xdp_buff to be unchanged. That is, the linear data area\ncontinues to be empty and fragments remain the same. This may cause\nthe driver to generate erroneous skb or triggering a kernel\nwarning. When an XDP program added linear data through\nbpf_xdp_adjust_head(), the linear data will be ignored as\nmlx5e_build_linear_skb() builds an skb without linear data and then\npull data from fragments to fill the linear data area. When an XDP\nprogram has shrunk the non-linear data through bpf_xdp_adjust_tail(),\nthe delta passed to __pskb_pull_tail() may exceed the actual nonlinear\ndata size and trigger the BUG_ON in it.\n\nTo fix the issue, first record the original number of fragments. If the\nnumber of fragments changes after the XDP program runs, rewind the end\nfragment pointer by the difference and recalculate the truesize. Then,\nbuild the skb with the linear data area matching the xdp_buff. Finally,\nonly pull data in if there is non-linear data and fill the linear part\nup to 256 bytes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:30:23.896Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8b051d7f530e8a5237da242fbeafef02fec6b813"
        },
        {
          "url": "https://git.kernel.org/stable/c/cb9edd583e23979ee546981be963ad5f217e8b18"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2557d7fa38e9475b38588f5c124476091480f53"
        },
        {
          "url": "https://git.kernel.org/stable/c/87bcef158ac1faca1bd7e0104588e8e2956d10be"
        }
      ],
      "title": "net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40350",
    "datePublished": "2025-12-16T13:30:23.896Z",
    "dateReserved": "2025-04-16T07:20:57.187Z",
    "dateUpdated": "2025-12-16T13:30:23.896Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68207 (GCVE-0-2025-68207)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:48 – Updated: 2025-12-16 13:48

Title

drm/xe/guc: Synchronize Dead CT worker with unbind

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/35959ab7d16b61861…
	https://git.kernel.org/stable/c/ce6ccf8e881a919bf…
	https://git.kernel.org/stable/c/95af8f4fdce8349a5…

Impacted products

Vendor

Product

Version

Linux

Affected: ff6482fb458953e111a82b7c537363d9aacf04bf , < 35959ab7d16b618616edf6df882a4533d2efe193 (git)
Affected: d2c5a5a926f43b2e42c5c955f917bad8ad6dd68c , < ce6ccf8e881a919bf902174ac879f80c97669498 (git)
Affected: d2c5a5a926f43b2e42c5c955f917bad8ad6dd68c , < 95af8f4fdce8349a5fe75264007f1af2aa1082ea (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_guc_ct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "35959ab7d16b618616edf6df882a4533d2efe193",
              "status": "affected",
              "version": "ff6482fb458953e111a82b7c537363d9aacf04bf",
              "versionType": "git"
            },
            {
              "lessThan": "ce6ccf8e881a919bf902174ac879f80c97669498",
              "status": "affected",
              "version": "d2c5a5a926f43b2e42c5c955f917bad8ad6dd68c",
              "versionType": "git"
            },
            {
              "lessThan": "95af8f4fdce8349a5fe75264007f1af2aa1082ea",
              "status": "affected",
              "version": "d2c5a5a926f43b2e42c5c955f917bad8ad6dd68c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_guc_ct.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.12.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/guc: Synchronize Dead CT worker with unbind\n\nCancel and wait for any Dead CT worker to complete before continuing\nwith device unbinding. Else the worker will end up using resources freed\nby the undind operation.\n\n(cherry picked from commit 492671339114e376aaa38626d637a2751cdef263)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:48:34.574Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/35959ab7d16b618616edf6df882a4533d2efe193"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce6ccf8e881a919bf902174ac879f80c97669498"
        },
        {
          "url": "https://git.kernel.org/stable/c/95af8f4fdce8349a5fe75264007f1af2aa1082ea"
        }
      ],
      "title": "drm/xe/guc: Synchronize Dead CT worker with unbind",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68207",
    "datePublished": "2025-12-16T13:48:34.574Z",
    "dateReserved": "2025-12-16T13:41:40.255Z",
    "dateUpdated": "2025-12-16T13:48:34.574Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68286 (GCVE-0-2025-68286)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-20 08:52

Title

drm/amd/display: Check NULL before accessing

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check NULL before accessing [WHAT] IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic fails with NULL pointer dereference. This can be reproduced with both an eDP panel and a DP monitors connected. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted 6.16.0-99-custom #8 PREEMPT(voluntary) Hardware name: AMD ........ RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu] Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49 89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30 c2 <48> 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02 RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668 RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000 RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760 R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000 R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu] amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu] ? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu] amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu] drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400 drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30 drm_crtc_get_last_vbltimestamp+0x55/0x90 drm_crtc_next_vblank_start+0x45/0xa0 drm_atomic_helper_wait_for_fences+0x81/0x1f0 ... (cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/781f2f32e9c19eb79…
	https://git.kernel.org/stable/c/09092269cb762378c…
	https://git.kernel.org/stable/c/109e9c92543f3105e…
	https://git.kernel.org/stable/c/9d1a65cbe3ec5da30…
	https://git.kernel.org/stable/c/f7cf491cd5b54b5a0…
	https://git.kernel.org/stable/c/62150f1e7ec707da7…
	https://git.kernel.org/stable/c/3ce62c189693e8ed7…

Impacted products

Vendor

Product

Version

Linux

Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 781f2f32e9c19eb791b52af283c96f9a9677a7f2 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 09092269cb762378ca8b56024746b1a136761e0d (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 109e9c92543f3105e8e1efd2c5e6b92ef55d5743 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 62150f1e7ec707da76ff353fb7db51fef9cd6557 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 3ce62c189693e8ed7b3abe551802bbc67f3ace54 (git)

Linux

Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc_stream.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "781f2f32e9c19eb791b52af283c96f9a9677a7f2",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "09092269cb762378ca8b56024746b1a136761e0d",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "109e9c92543f3105e8e1efd2c5e6b92ef55d5743",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "62150f1e7ec707da76ff353fb7db51fef9cd6557",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "3ce62c189693e8ed7b3abe551802bbc67f3ace54",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc_stream.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Check NULL before accessing\n\n[WHAT]\nIGT kms_cursor_legacy\u0027s long-nonblocking-modeset-vs-cursor-atomic\nfails with NULL pointer dereference. This can be reproduced with\nboth an eDP panel and a DP monitors connected.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted\n6.16.0-99-custom #8 PREEMPT(voluntary)\n Hardware name: AMD ........\n RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu]\n Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49\n 89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30\n c2 \u003c48\u003e 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02\n RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668\n RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000\n RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760\n R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000\n R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c\n FS:  000071f631b68700(0000) GS:ffff8b399f114000(0000)\nknlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0\n PKRU: 55555554\n Call Trace:\n \u003cTASK\u003e\n dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu]\n amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu]\n ? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu]\n amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu]\n drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400\n drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30\n drm_crtc_get_last_vbltimestamp+0x55/0x90\n drm_crtc_next_vblank_start+0x45/0xa0\n drm_atomic_helper_wait_for_fences+0x81/0x1f0\n ...\n\n(cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-20T08:52:20.161Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/781f2f32e9c19eb791b52af283c96f9a9677a7f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/09092269cb762378ca8b56024746b1a136761e0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/109e9c92543f3105e8e1efd2c5e6b92ef55d5743"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d1a65cbe3ec5da3003c8434ac7a38dcdc958fd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7cf491cd5b54b5a093bd3fdf76fa2860a7522bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/62150f1e7ec707da76ff353fb7db51fef9cd6557"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ce62c189693e8ed7b3abe551802bbc67f3ace54"
        }
      ],
      "title": "drm/amd/display: Check NULL before accessing",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68286",
    "datePublished": "2025-12-16T15:06:07.838Z",
    "dateReserved": "2025-12-16T14:48:05.292Z",
    "dateUpdated": "2025-12-20T08:52:20.161Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68287 (GCVE-0-2025-68287)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2025-12-16 15:06

Title

usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/467add9db13219101…
	https://git.kernel.org/stable/c/67192e8cb7f941b5b…
	https://git.kernel.org/stable/c/47de14d741cc40570…
	https://git.kernel.org/stable/c/afc0e34f161ce61ad…
	https://git.kernel.org/stable/c/7cfb62888eba292fa…
	https://git.kernel.org/stable/c/fa5eaf701e5768800…
	https://git.kernel.org/stable/c/e4037689a366743c4…

Impacted products

Vendor

Product

Version

Linux

Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 467add9db13219101f14b6cc5477998b4aaa5fe2 (git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 67192e8cb7f941b5bba91e4bb290683576ce1607 (git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 47de14d741cc4057046c9e2f33df1f7828254e6c (git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < afc0e34f161ce61ad351303c46eb57bd44b8b090 (git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 7cfb62888eba292fa35cd9ddbd28ce595f60e139 (git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < fa5eaf701e576880070b60922200557ae4aa54e1 (git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < e4037689a366743c4233966f0e74bc455820d316 (git)

Linux

Affected: 3.2
Unaffected: 0 , < 3.2 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/dwc3/ep0.c",
            "drivers/usb/dwc3/gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "467add9db13219101f14b6cc5477998b4aaa5fe2",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "67192e8cb7f941b5bba91e4bb290683576ce1607",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "47de14d741cc4057046c9e2f33df1f7828254e6c",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "afc0e34f161ce61ad351303c46eb57bd44b8b090",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "7cfb62888eba292fa35cd9ddbd28ce595f60e139",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "fa5eaf701e576880070b60922200557ae4aa54e1",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            },
            {
              "lessThan": "e4037689a366743c4233966f0e74bc455820d316",
              "status": "affected",
              "version": "72246da40f3719af3bfd104a2365b32537c27d83",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/dwc3/ep0.c",
            "drivers/usb/dwc3/gadget.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths\n\nThis patch addresses a race condition caused by unsynchronized\nexecution of multiple call paths invoking `dwc3_remove_requests()`,\nleading to premature freeing of USB requests and subsequent crashes.\n\nThree distinct execution paths interact with `dwc3_remove_requests()`:\nPath 1:\nTriggered via `dwc3_gadget_reset_interrupt()` during USB reset\nhandling. The call stack includes:\n- `dwc3_ep0_reset_state()`\n- `dwc3_ep0_stall_and_restart()`\n- `dwc3_ep0_out_start()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 2:\nAlso initiated from `dwc3_gadget_reset_interrupt()`, but through\n`dwc3_stop_active_transfers()`. The call stack includes:\n- `dwc3_stop_active_transfers()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\n\nPath 3:\nOccurs independently during `adb root` execution, which triggers\nUSB function unbind and bind operations. The sequence includes:\n- `gserial_disconnect()`\n- `usb_ep_disable()`\n- `dwc3_gadget_ep_disable()`\n- `dwc3_remove_requests()` with `-ESHUTDOWN` status\n\nPath 3 operates asynchronously and lacks synchronization with Paths\n1 and 2. When Path 3 completes, it disables endpoints and frees \u0027out\u0027\nrequests. If Paths 1 or 2 are still processing these requests,\naccessing freed memory leads to a crash due to use-after-free conditions.\n\nTo fix this added check for request completion and skip processing\nif already completed and added the request status for ep0 while queue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T15:06:08.711Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/467add9db13219101f14b6cc5477998b4aaa5fe2"
        },
        {
          "url": "https://git.kernel.org/stable/c/67192e8cb7f941b5bba91e4bb290683576ce1607"
        },
        {
          "url": "https://git.kernel.org/stable/c/47de14d741cc4057046c9e2f33df1f7828254e6c"
        },
        {
          "url": "https://git.kernel.org/stable/c/afc0e34f161ce61ad351303c46eb57bd44b8b090"
        },
        {
          "url": "https://git.kernel.org/stable/c/7cfb62888eba292fa35cd9ddbd28ce595f60e139"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa5eaf701e576880070b60922200557ae4aa54e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4037689a366743c4233966f0e74bc455820d316"
        }
      ],
      "title": "usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68287",
    "datePublished": "2025-12-16T15:06:08.711Z",
    "dateReserved": "2025-12-16T14:48:05.292Z",
    "dateUpdated": "2025-12-16T15:06:08.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68749 (GCVE-0-2025-68749)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:09 – Updated: 2026-01-30 15:35

Title

accel/ivpu: Fix race condition when unbinding BOs

Summary

In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix race condition when unbinding BOs Fix 'Memory manager not clean during takedown' warning that occurs when ivpu_gem_bo_free() removes the BO from the BOs list before it gets unmapped. Then file_priv_unbind() triggers a warning in drm_mm_takedown() during context teardown. Protect the unmapping sequence with bo_list_lock to ensure the BO is always fully unmapped when removed from the list. This ensures the BO is either fully unmapped at context teardown time or present on the list and unmapped by file_priv_unbind().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0328bb097bef05a79…
	https://git.kernel.org/stable/c/fb16493ebd8f171bc…
	https://git.kernel.org/stable/c/d71333ffdd3707d84…
	https://git.kernel.org/stable/c/00812636df370bedf…

Impacted products

Vendor

Product

Version

Linux

Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < 0328bb097bef05a796217c54b3d651cc3782827c (git)
Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < fb16493ebd8f171bcf0772262619618a131f30f7 (git)
Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < d71333ffdd3707d84cfb95acfaf8ba892adc066b (git)
Affected: 48aea7f2a2efae6a1bd201061c71a81b3f3b7e55 , < 00812636df370bedf4e44a0c81b86ea96bca8628 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.68 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/ivpu/ivpu_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0328bb097bef05a796217c54b3d651cc3782827c",
              "status": "affected",
              "version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
              "versionType": "git"
            },
            {
              "lessThan": "fb16493ebd8f171bcf0772262619618a131f30f7",
              "status": "affected",
              "version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
              "versionType": "git"
            },
            {
              "lessThan": "d71333ffdd3707d84cfb95acfaf8ba892adc066b",
              "status": "affected",
              "version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
              "versionType": "git"
            },
            {
              "lessThan": "00812636df370bedf4e44a0c81b86ea96bca8628",
              "status": "affected",
              "version": "48aea7f2a2efae6a1bd201061c71a81b3f3b7e55",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/ivpu/ivpu_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.68",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/ivpu: Fix race condition when unbinding BOs\n\nFix \u0027Memory manager not clean during takedown\u0027 warning that occurs\nwhen ivpu_gem_bo_free() removes the BO from the BOs list before it\ngets unmapped. Then file_priv_unbind() triggers a warning in\ndrm_mm_takedown() during context teardown.\n\nProtect the unmapping sequence with bo_list_lock to ensure the BO is\nalways fully unmapped when removed from the list. This ensures the BO\nis either fully unmapped at context teardown time or present on the\nlist and unmapped by file_priv_unbind()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-30T15:35:42.461Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0328bb097bef05a796217c54b3d651cc3782827c"
        },
        {
          "url": "https://git.kernel.org/stable/c/fb16493ebd8f171bcf0772262619618a131f30f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d71333ffdd3707d84cfb95acfaf8ba892adc066b"
        },
        {
          "url": "https://git.kernel.org/stable/c/00812636df370bedf4e44a0c81b86ea96bca8628"
        }
      ],
      "title": "accel/ivpu: Fix race condition when unbinding BOs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68749",
    "datePublished": "2025-12-24T12:09:44.301Z",
    "dateReserved": "2025-12-24T10:30:51.032Z",
    "dateUpdated": "2026-01-30T15:35:42.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68197 (GCVE-0-2025-68197)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:43 – Updated: 2025-12-16 13:43

Title

bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()

Summary

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointer before proceeding.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/689ae5ba31293eebb…
	https://git.kernel.org/stable/c/ff02be05f78399c76…

Impacted products

Vendor

Product

Version

Linux

Affected: 84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9 , < 689ae5ba31293eebb7f21c0ef8939468ac72b5ce (git)
Affected: 84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9 , < ff02be05f78399c766be68ab0b2285ff90b2aaa8 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "689ae5ba31293eebb7f21c0ef8939468ac72b5ce",
              "status": "affected",
              "version": "84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9",
              "versionType": "git"
            },
            {
              "lessThan": "ff02be05f78399c766be68ab0b2285ff90b2aaa8",
              "status": "affected",
              "version": "84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()\n\nWith older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER\nfor FW trace data type that has not been initialized.  This will result\nin a crash in bnxt_bs_trace_type_wrap().  Add a guard to check for a\nvalid magic_byte pointer before proceeding."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:43:23.269Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/689ae5ba31293eebb7f21c0ef8939468ac72b5ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/ff02be05f78399c766be68ab0b2285ff90b2aaa8"
        }
      ],
      "title": "bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68197",
    "datePublished": "2025-12-16T13:43:23.269Z",
    "dateReserved": "2025-12-16T13:41:40.253Z",
    "dateUpdated": "2025-12-16T13:43:23.269Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-54019 (GCVE-0-2023-54019)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55

Title

sched/psi: use kernfs polling functions for PSI trigger polling

Summary

In the Linux kernel, the following vulnerability has been resolved: sched/psi: use kernfs polling functions for PSI trigger polling Destroying psi trigger in cgroup_file_release causes UAF issues when a cgroup is removed from under a polling process. This is happening because cgroup removal causes a call to cgroup_file_release while the actual file is still alive. Destroying the trigger at this point would also destroy its waitqueue head and if there is still a polling process on that file accessing the waitqueue, it will step on the freed pointer: do_select vfs_poll do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy wake_up_pollfree(&t->event_wait) // vfs_poll is unblocked synchronize_rcu kfree(t) poll_freewait -> UAF access to the trigger's waitqueue head Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), however the same issue exists for synchronous poll() case. The root cause of this issue is that the lifecycles of the psi trigger's waitqueue and of the file associated with the trigger are different. Fix this by using kernfs_generic_poll function when polling on cgroup-specific psi triggers. It internally uses kernfs_open_node->poll waitqueue head with its lifecycle tied to the file's lifecycle. This also renders the fix in [1] obsolete, so revert it. [1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()")

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/92cc0153324b6ae85…
	https://git.kernel.org/stable/c/d124ab17024cc85a1…
	https://git.kernel.org/stable/c/aff037078ecaecf34…

Impacted products

Vendor

Product

Version

Linux

Affected: 0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < 92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a (git)
Affected: 0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < d124ab17024cc85a1079b7810a018a497ebc13da (git)
Affected: 0e94682b73bfa6c44c98af7a26771c9c08c055d5 , < aff037078ecaecf34a7c2afab1341815f90fba5e (git)

Linux

Affected: 5.2
Unaffected: 0 , < 5.2 (semver)
Unaffected: 6.1.42 , ≤ 6.1.* (semver)
Unaffected: 6.4.7 , ≤ 6.4.* (semver)
Unaffected: 6.5 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/psi.h",
            "include/linux/psi_types.h",
            "kernel/cgroup/cgroup.c",
            "kernel/sched/psi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a",
              "status": "affected",
              "version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
              "versionType": "git"
            },
            {
              "lessThan": "d124ab17024cc85a1079b7810a018a497ebc13da",
              "status": "affected",
              "version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
              "versionType": "git"
            },
            {
              "lessThan": "aff037078ecaecf34a7c2afab1341815f90fba5e",
              "status": "affected",
              "version": "0e94682b73bfa6c44c98af7a26771c9c08c055d5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/psi.h",
            "include/linux/psi_types.h",
            "kernel/cgroup/cgroup.c",
            "kernel/sched/psi.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.42",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.7",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/psi: use kernfs polling functions for PSI trigger polling\n\nDestroying psi trigger in cgroup_file_release causes UAF issues when\na cgroup is removed from under a polling process. This is happening\nbecause cgroup removal causes a call to cgroup_file_release while the\nactual file is still alive. Destroying the trigger at this point would\nalso destroy its waitqueue head and if there is still a polling process\non that file accessing the waitqueue, it will step on the freed pointer:\n\ndo_select\n  vfs_poll\n                           do_rmdir\n                             cgroup_rmdir\n                               kernfs_drain_open_files\n                                 cgroup_file_release\n                                   cgroup_pressure_release\n                                     psi_trigger_destroy\n                                       wake_up_pollfree(\u0026t-\u003eevent_wait)\n// vfs_poll is unblocked\n                                       synchronize_rcu\n                                       kfree(t)\n  poll_freewait -\u003e UAF access to the trigger\u0027s waitqueue head\n\nPatch [1] fixed this issue for epoll() case using wake_up_pollfree(),\nhowever the same issue exists for synchronous poll() case.\nThe root cause of this issue is that the lifecycles of the psi trigger\u0027s\nwaitqueue and of the file associated with the trigger are different. Fix\nthis by using kernfs_generic_poll function when polling on cgroup-specific\npsi triggers. It internally uses kernfs_open_node-\u003epoll waitqueue head\nwith its lifecycle tied to the file\u0027s lifecycle. This also renders the\nfix in [1] obsolete, so revert it.\n\n[1] commit c2dbe32d5db5 (\"sched/psi: Fix use-after-free in ep_remove_wait_queue()\")"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:55:49.840Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/92cc0153324b6ae8577a39f5bf2cd83c9a34ea6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d124ab17024cc85a1079b7810a018a497ebc13da"
        },
        {
          "url": "https://git.kernel.org/stable/c/aff037078ecaecf34a7c2afab1341815f90fba5e"
        }
      ],
      "title": "sched/psi: use kernfs polling functions for PSI trigger polling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54019",
    "datePublished": "2025-12-24T10:55:49.840Z",
    "dateReserved": "2025-12-24T10:53:46.179Z",
    "dateUpdated": "2025-12-24T10:55:49.840Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68181 (GCVE-0-2025-68181)

Vulnerability from cvelistv5 – Published: 2025-12-16 13:42 – Updated: 2025-12-16 13:42

Title

drm/radeon: Remove calls to drm_put_dev()

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to probe warnings like the following are shown because devres is trying to drm_put_dev() after the driver already did it. [ 5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22 [ 5.649605] ------------[ cut here ]------------ [ 5.649607] refcount_t: underflow; use-after-free. [ 5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 (cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2fa41445d8c98f2a6…
	https://git.kernel.org/stable/c/ec18f6b2c743cc471…
	https://git.kernel.org/stable/c/745bae76acdd71709…

Impacted products

Vendor

Product

Version

Linux

Affected: a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < 2fa41445d8c98f2a65503c373796466496edc0e7 (git)
Affected: a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < ec18f6b2c743cc471b2539ddb5caed20a012e640 (git)
Affected: a9ed2f052c5c14e4be58c5ec8794dffc87588123 , < 745bae76acdd71709773c129a69deca01036250b (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.58 , ≤ 6.12.* (semver)
Unaffected: 6.17.8 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/radeon/radeon_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2fa41445d8c98f2a65503c373796466496edc0e7",
              "status": "affected",
              "version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
              "versionType": "git"
            },
            {
              "lessThan": "ec18f6b2c743cc471b2539ddb5caed20a012e640",
              "status": "affected",
              "version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
              "versionType": "git"
            },
            {
              "lessThan": "745bae76acdd71709773c129a69deca01036250b",
              "status": "affected",
              "version": "a9ed2f052c5c14e4be58c5ec8794dffc87588123",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/radeon/radeon_drv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.58",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.58",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.8",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Remove calls to drm_put_dev()\n\nSince the allocation of the drivers main structure was changed to\ndevm_drm_dev_alloc() drm_put_dev()\u0027ing to trigger it to be free\u0027d\nshould be done by devres.\n\nHowever, drm_put_dev() is still in the probe error and device remove\npaths. When the driver fails to probe warnings like the following are\nshown because devres is trying to drm_put_dev() after the driver\nalready did it.\n\n[    5.642230] radeon 0000:01:05.0: probe with driver radeon failed with error -22\n[    5.649605] ------------[ cut here ]------------\n[    5.649607] refcount_t: underflow; use-after-free.\n[    5.649620] WARNING: CPU: 0 PID: 357 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110\n\n(cherry picked from commit 3eb8c0b4c091da0a623ade0d3ee7aa4a93df1ea4)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T13:42:59.600Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2fa41445d8c98f2a65503c373796466496edc0e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/ec18f6b2c743cc471b2539ddb5caed20a012e640"
        },
        {
          "url": "https://git.kernel.org/stable/c/745bae76acdd71709773c129a69deca01036250b"
        }
      ],
      "title": "drm/radeon: Remove calls to drm_put_dev()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68181",
    "datePublished": "2025-12-16T13:42:59.600Z",
    "dateReserved": "2025-12-16T13:41:40.252Z",
    "dateUpdated": "2025-12-16T13:42:59.600Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68766 (GCVE-0-2025-68766)

Vulnerability from cvelistv5 – Published: 2026-01-05 09:44 – Updated: 2026-01-11 16:30

Title

irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()

Summary

In the Linux kernel, the following vulnerability has been resolved: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then it results in an out of bounds access. The code checks for invalid values, but doesn't set the error code. Return -EINVAL in that case, instead of returning success.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/324c60a67c4b96684…
	https://git.kernel.org/stable/c/c21c606ad398eeb86…
	https://git.kernel.org/stable/c/3873afcb57614c1aa…
	https://git.kernel.org/stable/c/09efe7cfbf919c4d7…
	https://git.kernel.org/stable/c/efd65e2e2fd96f7aa…
	https://git.kernel.org/stable/c/7dbc0d40d8347bd9d…

Impacted products

Vendor

Product

Version

Linux

Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 324c60a67c4b9668497940f667db14d216cc7b1b (git)
Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < c21c606ad398eeb86a0f3aaff9ba4f2665e286c6 (git)
Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 3873afcb57614c1aaa5b6715554d6d1c22cac95a (git)
Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 09efe7cfbf919c4d763bc425473fcfee0dc98356 (git)
Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552 (git)
Affected: 00fa3461c86dd289b441d4d5a6bb236064bd207b , < 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/irqchip/irq-mchp-eic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "324c60a67c4b9668497940f667db14d216cc7b1b",
              "status": "affected",
              "version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
              "versionType": "git"
            },
            {
              "lessThan": "c21c606ad398eeb86a0f3aaff9ba4f2665e286c6",
              "status": "affected",
              "version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
              "versionType": "git"
            },
            {
              "lessThan": "3873afcb57614c1aaa5b6715554d6d1c22cac95a",
              "status": "affected",
              "version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
              "versionType": "git"
            },
            {
              "lessThan": "09efe7cfbf919c4d763bc425473fcfee0dc98356",
              "status": "affected",
              "version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
              "versionType": "git"
            },
            {
              "lessThan": "efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552",
              "status": "affected",
              "version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
              "versionType": "git"
            },
            {
              "lessThan": "7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7",
              "status": "affected",
              "version": "00fa3461c86dd289b441d4d5a6bb236064bd207b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/irqchip/irq-mchp-eic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()\n\nIf irq_domain_translate_twocell() sets \"hwirq\" to \u003e= MCHP_EIC_NIRQ (2) then\nit results in an out of bounds access.\n\nThe code checks for invalid values, but doesn\u0027t set the error code.  Return\n-EINVAL in that case, instead of returning success."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-11T16:30:35.537Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/324c60a67c4b9668497940f667db14d216cc7b1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c21c606ad398eeb86a0f3aaff9ba4f2665e286c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/3873afcb57614c1aaa5b6715554d6d1c22cac95a"
        },
        {
          "url": "https://git.kernel.org/stable/c/09efe7cfbf919c4d763bc425473fcfee0dc98356"
        },
        {
          "url": "https://git.kernel.org/stable/c/efd65e2e2fd96f7aaa5cb07d79bbbfcfc80aa552"
        },
        {
          "url": "https://git.kernel.org/stable/c/7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7"
        }
      ],
      "title": "irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68766",
    "datePublished": "2026-01-05T09:44:13.935Z",
    "dateReserved": "2025-12-24T10:30:51.034Z",
    "dateUpdated": "2026-01-11T16:30:35.537Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40275 (GCVE-0-2025-40275)

Vulnerability from cvelistv5 – Published: 2025-12-06 21:50 – Updated: 2025-12-06 21:50

Title

ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/23aea9c74aeea2625…
	https://git.kernel.org/stable/c/c5c08965ab96b1636…
	https://git.kernel.org/stable/c/9f282104627be5fbd…
	https://git.kernel.org/stable/c/2762d3ea9c929ca40…
	https://git.kernel.org/stable/c/57f607c112966c212…
	https://git.kernel.org/stable/c/cbdbfc756f2990942…
	https://git.kernel.org/stable/c/85568535893600024…
	https://git.kernel.org/stable/c/632108ec072ad64c8…

Impacted products

Vendor

Product

Version

Linux

Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4 (git)
Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6 (git)
Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 9f282104627be5fbded3102ff9004f753c55a063 (git)
Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 2762d3ea9c929ca4094541ca517c317ffa94625b (git)
Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 57f607c112966c21240c424b33e2cb71e121dcf0 (git)
Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < cbdbfc756f2990942138ed0138da9303b4dbf9ff (git)
Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 85568535893600024d7d8794f4f8b6428b521e0c (git)
Affected: 17156f23e93c0f59e06dd2aaffd06221341caaee , < 632108ec072ad64c8c83db6e16a7efee29ebfb74 (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.4.302 , ≤ 5.4.* (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.117 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.17.9 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/mixer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "9f282104627be5fbded3102ff9004f753c55a063",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "2762d3ea9c929ca4094541ca517c317ffa94625b",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "57f607c112966c21240c424b33e2cb71e121dcf0",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "cbdbfc756f2990942138ed0138da9303b4dbf9ff",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "85568535893600024d7d8794f4f8b6428b521e0c",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            },
            {
              "lessThan": "632108ec072ad64c8c83db6e16a7efee29ebfb74",
              "status": "affected",
              "version": "17156f23e93c0f59e06dd2aaffd06221341caaee",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/mixer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.302",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.117",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.302",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.117",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.9",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd\n\nIn snd_usb_create_streams(), for UAC version 3 devices, the Interface\nAssociation Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this\ncall fails, a fallback routine attempts to obtain the IAD from the next\ninterface and sets a BADD profile. However, snd_usb_mixer_controls_badd()\nassumes that the IAD retrieved from usb_ifnum_to_if() is always valid,\nwithout performing a NULL check. This can lead to a NULL pointer\ndereference when usb_ifnum_to_if() fails to find the interface descriptor.\n\nThis patch adds a NULL pointer check after calling usb_ifnum_to_if() in\nsnd_usb_mixer_controls_badd() to prevent the dereference.\n\nThis issue was discovered by syzkaller, which triggered the bug by sending\na crafted USB device descriptor."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:50:57.914Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/23aea9c74aeea2625aaf4fbcc6beb9d09e30f9e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5c08965ab96b16361e69a1e2a0e89dbcb99b5a6"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f282104627be5fbded3102ff9004f753c55a063"
        },
        {
          "url": "https://git.kernel.org/stable/c/2762d3ea9c929ca4094541ca517c317ffa94625b"
        },
        {
          "url": "https://git.kernel.org/stable/c/57f607c112966c21240c424b33e2cb71e121dcf0"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbdbfc756f2990942138ed0138da9303b4dbf9ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/85568535893600024d7d8794f4f8b6428b521e0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/632108ec072ad64c8c83db6e16a7efee29ebfb74"
        }
      ],
      "title": "ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40275",
    "datePublished": "2025-12-06T21:50:57.914Z",
    "dateReserved": "2025-04-16T07:20:57.184Z",
    "dateUpdated": "2025-12-06T21:50:57.914Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68758 (GCVE-0-2025-68758)

Vulnerability from cvelistv5 – Published: 2026-01-05 09:32 – Updated: 2026-01-19 12:18

Title

backlight: led-bl: Add devlink to supplier LEDs

Summary

In the Linux kernel, the following vulnerability has been resolved: backlight: led-bl: Add devlink to supplier LEDs LED Backlight is a consumer of one or multiple LED class devices, but devlink is currently unable to create correct supplier-producer links when the supplier is a class device. It creates instead a link where the supplier is the parent of the expected device. One consequence is that removal order is not correctly enforced. Issues happen for example with the following sections in a device tree overlay: // An LED driver chip pca9632@62 { compatible = "nxp,pca9632"; reg = <0x62>; // ... addon_led_pwm: led-pwm@3 { reg = <3>; label = "addon:led:pwm"; }; }; backlight-addon { compatible = "led-backlight"; leds = <&addon_led_pwm>; brightness-levels = <255>; default-brightness-level = <255>; }; In this example, the devlink should be created between the backlight-addon (consumer) and the pca9632@62 (supplier). Instead it is created between the backlight-addon (consumer) and the parent of the pca9632@62, which is typically the I2C bus adapter. On removal of the above overlay, the LED driver can be removed before the backlight device, resulting in: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 ... Call trace: led_put+0xe0/0x140 devm_led_release+0x6c/0x98 Another way to reproduce the bug without any device tree overlays is unbinding the LED class device (pca9632@62) before unbinding the consumer (backlight-addon): echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind Fix by adding a devlink between the consuming led-backlight device and the supplying LED device, as other drivers and subsystems do as well.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/64739adf3eef063b8…
	https://git.kernel.org/stable/c/cd01a24b3e52d6777…
	https://git.kernel.org/stable/c/e06df738a9ad8417f…
	https://git.kernel.org/stable/c/30cbe4b642745a948…
	https://git.kernel.org/stable/c/0e63ea4378489e09e…
	https://git.kernel.org/stable/c/60a24070392ec726c…
	https://git.kernel.org/stable/c/08c9dc6b0f2c68e5e…
	https://git.kernel.org/stable/c/9341d6698f4cfdfc3…

Impacted products

Vendor

Product

Version

Linux

Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 64739adf3eef063b8e2c72b7e919eac8c6480bf0 (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < cd01a24b3e52d6777b49c917d841f125fe9eebd0 (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < e06df738a9ad8417f1c4c7cd6992cda320e9e7ca (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 30cbe4b642745a9488a0f0d78be43afe69d7555c (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 0e63ea4378489e09eb5e920c8a50c10caacf563a (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9 (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 08c9dc6b0f2c68e5e7c374ac4499e321e435d46c (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 9341d6698f4cfdfc374fb6944158d111ebe16a9d (git)

Linux

Affected: 5.6
Unaffected: 0 , < 5.6 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.63 , ≤ 6.12.* (semver)
Unaffected: 6.17.13 , ≤ 6.17.* (semver)
Unaffected: 6.18.2 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/backlight/led_bl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "64739adf3eef063b8e2c72b7e919eac8c6480bf0",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "cd01a24b3e52d6777b49c917d841f125fe9eebd0",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "e06df738a9ad8417f1c4c7cd6992cda320e9e7ca",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "30cbe4b642745a9488a0f0d78be43afe69d7555c",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "0e63ea4378489e09eb5e920c8a50c10caacf563a",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "08c9dc6b0f2c68e5e7c374ac4499e321e435d46c",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "9341d6698f4cfdfc374fb6944158d111ebe16a9d",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/backlight/led_bl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.63",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.13",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.2",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc1",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: led-bl: Add devlink to supplier LEDs\n\nLED Backlight is a consumer of one or multiple LED class devices, but\ndevlink is currently unable to create correct supplier-producer links when\nthe supplier is a class device. It creates instead a link where the\nsupplier is the parent of the expected device.\n\nOne consequence is that removal order is not correctly enforced.\n\nIssues happen for example with the following sections in a device tree\noverlay:\n\n    // An LED driver chip\n    pca9632@62 {\n        compatible = \"nxp,pca9632\";\n        reg = \u003c0x62\u003e;\n\n\t// ...\n\n        addon_led_pwm: led-pwm@3 {\n            reg = \u003c3\u003e;\n            label = \"addon:led:pwm\";\n        };\n    };\n\n    backlight-addon {\n        compatible = \"led-backlight\";\n        leds = \u003c\u0026addon_led_pwm\u003e;\n        brightness-levels = \u003c255\u003e;\n        default-brightness-level = \u003c255\u003e;\n    };\n\nIn this example, the devlink should be created between the backlight-addon\n(consumer) and the pca9632@62 (supplier). Instead it is created between the\nbacklight-addon (consumer) and the parent of the pca9632@62, which is\ntypically the I2C bus adapter.\n\nOn removal of the above overlay, the LED driver can be removed before the\nbacklight device, resulting in:\n\n    Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010\n    ...\n    Call trace:\n     led_put+0xe0/0x140\n     devm_led_release+0x6c/0x98\n\nAnother way to reproduce the bug without any device tree overlays is\nunbinding the LED class device (pca9632@62) before unbinding the consumer\n(backlight-addon):\n\n  echo 11-0062 \u003e/sys/bus/i2c/drivers/leds-pca963x/unbind\n  echo ...backlight-dock \u003e/sys/bus/platform/drivers/led-backlight/unbind\n\nFix by adding a devlink between the consuming led-backlight device and the\nsupplying LED device, as other drivers and subsystems do as well."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:18:45.301Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/64739adf3eef063b8e2c72b7e919eac8c6480bf0"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd01a24b3e52d6777b49c917d841f125fe9eebd0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e06df738a9ad8417f1c4c7cd6992cda320e9e7ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/30cbe4b642745a9488a0f0d78be43afe69d7555c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e63ea4378489e09eb5e920c8a50c10caacf563a"
        },
        {
          "url": "https://git.kernel.org/stable/c/60a24070392ec726ccfe6ad1ca7b0381c8d8f7c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/08c9dc6b0f2c68e5e7c374ac4499e321e435d46c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9341d6698f4cfdfc374fb6944158d111ebe16a9d"
        }
      ],
      "title": "backlight: led-bl: Add devlink to supplier LEDs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68758",
    "datePublished": "2026-01-05T09:32:31.399Z",
    "dateReserved": "2025-12-24T10:30:51.033Z",
    "dateUpdated": "2026-01-19T12:18:45.301Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CERTFR-2026-AVI-0128

Solutions

Tags

Sightings

Nomenclature

Action not permitted

CERTFR-2026-AVI-0128

Solutions

CVE-2025-40226 (GCVE-0-2025-40226)

CVE-2022-50884 (GCVE-0-2022-50884)

CVE-2025-68256 (GCVE-0-2025-68256)

CVE-2025-40215 (GCVE-0-2025-40215)

CVE-2025-40231 (GCVE-0-2025-40231)

CVE-2022-50840 (GCVE-0-2022-50840)

CVE-2025-40339 (GCVE-0-2025-40339)

CVE-2025-68301 (GCVE-0-2025-68301)

CVE-2025-40266 (GCVE-0-2025-40266)

CVE-2025-40256 (GCVE-0-2025-40256)

CVE-2025-40307 (GCVE-0-2025-40307)

CVE-2025-68235 (GCVE-0-2025-68235)

CVE-2025-68317 (GCVE-0-2025-68317)

CVE-2022-50821 (GCVE-0-2022-50821)

CVE-2025-68353 (GCVE-0-2025-68353)

CVE-2025-68170 (GCVE-0-2025-68170)

CVE-2025-68255 (GCVE-0-2025-68255)

CVE-2025-40357 (GCVE-0-2025-40357)

CVE-2025-40240 (GCVE-0-2025-40240)

CVE-2025-40302 (GCVE-0-2025-40302)

CVE-2025-40237 (GCVE-0-2025-40237)

CVE-2022-50703 (GCVE-0-2022-50703)

CVE-2025-68254 (GCVE-0-2025-68254)

CVE-2025-40018 (GCVE-0-2025-40018)

CVE-2025-68213 (GCVE-0-2025-68213)

CVE-2025-40303 (GCVE-0-2025-40303)

CVE-2025-40213 (GCVE-0-2025-40213)

CVE-2025-68222 (GCVE-0-2025-68222)

CVE-2025-40330 (GCVE-0-2025-40330)

CVE-2025-68195 (GCVE-0-2025-68195)

CVE-2025-40238 (GCVE-0-2025-40238)

CVE-2025-40209 (GCVE-0-2025-40209)

CVE-2022-48853 (GCVE-0-2022-48853)

CVE-2022-50640 (GCVE-0-2022-50640)

CVE-2023-54243 (GCVE-0-2023-54243)

CVE-2025-40289 (GCVE-0-2025-40289)

CVE-2023-54168 (GCVE-0-2023-54168)

CVE-2022-50756 (GCVE-0-2022-50756)

CVE-2025-40320 (GCVE-0-2025-40320)

CVE-2025-68184 (GCVE-0-2025-68184)

CVE-2025-40273 (GCVE-0-2025-40273)

CVE-2025-40304 (GCVE-0-2025-40304)

CVE-2025-68202 (GCVE-0-2025-68202)

CVE-2025-40280 (GCVE-0-2025-40280)

CVE-2025-68344 (GCVE-0-2025-68344)

CVE-2025-21718 (GCVE-0-2025-21718)

CVE-2025-40329 (GCVE-0-2025-40329)

CVE-2025-68354 (GCVE-0-2025-68354)

CVE-2025-68732 (GCVE-0-2025-68732)

CVE-2023-54242 (GCVE-0-2023-54242)

CVE-2025-40274 (GCVE-0-2025-40274)

CVE-2022-50623 (GCVE-0-2022-50623)

CVE-2025-40284 (GCVE-0-2025-40284)

CVE-2025-68759 (GCVE-0-2025-68759)

CVE-2025-68765 (GCVE-0-2025-68765)

CVE-2025-68312 (GCVE-0-2025-68312)

CVE-2023-53215 (GCVE-0-2023-53215)

CVE-2022-50644 (GCVE-0-2022-50644)

CVE-2025-40292 (GCVE-0-2025-40292)

CVE-2025-40324 (GCVE-0-2025-40324)

CVE-2024-57996 (GCVE-0-2024-57996)

CVE-2025-40160 (GCVE-0-2025-40160)

CVE-2025-40322 (GCVE-0-2025-40322)

CVE-2025-68283 (GCVE-0-2025-68283)

CVE-2025-68347 (GCVE-0-2025-68347)

CVE-2025-40314 (GCVE-0-2025-40314)

CVE-2025-40130 (GCVE-0-2025-40130)

CVE-2022-49291 (GCVE-0-2022-49291)

CVE-2025-40220 (GCVE-0-2025-40220)

CVE-2025-40123 (GCVE-0-2025-40123)

CVE-2025-40315 (GCVE-0-2025-40315)

CVE-2025-40317 (GCVE-0-2025-40317)

CVE-2025-68180 (GCVE-0-2025-68180)

CVE-2025-40359 (GCVE-0-2025-40359)

CVE-2025-68185 (GCVE-0-2025-68185)

CVE-2025-40235 (GCVE-0-2025-40235)

CVE-2025-40321 (GCVE-0-2025-40321)