SUSE-SU-2026:0176-1 - Vulnerability-Lookup

SUSE-SU-2026:0176-1

Vulnerability from csaf_suse - Published: 2026-01-19 19:03 - Updated: 2026-01-19 19:03

Summary

Security update for the Linux Kernel (Live Patch 44 for SUSE Linux Enterprise 15 SP4)

Severity

Important

Notes

Title of the patch: Security update for the Linux Kernel (Live Patch 44 for SUSE Linux Enterprise 15 SP4)

Description of the patch: This update for the SUSE Linux Enterprise kernel 5.14.21-150400.24.176 fixes various security issues The following security issues were fixed: - CVE-2022-50233: bluetooth: device name can cause reading kernel memory by not supplying terminal \0 (bsc#1249242). - CVE-2022-50327: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value (bsc#1254451). - CVE-2022-50409: net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory (bsc#1250665). - CVE-2022-50490: bpf: Propagate error from htab_lock_bucket() to userspace (bsc#1251165). - CVE-2023-53676: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() (bsc#1251787). - CVE-2025-38476: rpl: Fix use-after-free in rpl_do_srh_inline() (bsc#1251203). - CVE-2025-38572: ipv6: reject malicious packets in ipv6_gso_segment() (bsc#1248400). - CVE-2025-40204: sctp: Fix MAC comparison to be constant-time (bsc#1253437).

Patchnames: SUSE-2026-176,SUSE-SLE-Module-Live-Patching-15-SP4-2026-176

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2022-50233

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2022-50327

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2022-50409

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2022-50490

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2023-53676

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2025-38476

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2025-38572

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2025-40204

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/s…	self
	https://www.suse.com/support/update/announcement/…	self
	https://lists.suse.com/pipermail/sle-security-upd…	self
	https://bugzilla.suse.com/1248400	self
	https://bugzilla.suse.com/1249242	self
	https://bugzilla.suse.com/1250665	self
	https://bugzilla.suse.com/1251165	self
	https://bugzilla.suse.com/1251203	self
	https://bugzilla.suse.com/1251787	self
	https://bugzilla.suse.com/1253437	self
	https://bugzilla.suse.com/1254451	self
	https://www.suse.com/security/cve/CVE-2022-50233/	self
	https://www.suse.com/security/cve/CVE-2022-50327/	self
	https://www.suse.com/security/cve/CVE-2022-50409/	self
	https://www.suse.com/security/cve/CVE-2022-50490/	self
	https://www.suse.com/security/cve/CVE-2023-53676/	self
	https://www.suse.com/security/cve/CVE-2025-38476/	self
	https://www.suse.com/security/cve/CVE-2025-38572/	self
	https://www.suse.com/security/cve/CVE-2025-40204/	self
	https://www.suse.com/security/cve/CVE-2022-50233	external
	https://bugzilla.suse.com/1246968	external
	https://bugzilla.suse.com/1247374	external
	https://bugzilla.suse.com/1249242	external
	https://www.suse.com/security/cve/CVE-2022-50327	external
	https://bugzilla.suse.com/1249859	external
	https://bugzilla.suse.com/1254451	external
	https://www.suse.com/security/cve/CVE-2022-50409	external
	https://bugzilla.suse.com/1247374	external
	https://bugzilla.suse.com/1250392	external
	https://bugzilla.suse.com/1250665	external
	https://www.suse.com/security/cve/CVE-2022-50490	external
	https://bugzilla.suse.com/1251164	external
	https://bugzilla.suse.com/1251165	external
	https://www.suse.com/security/cve/CVE-2023-53676	external
	https://bugzilla.suse.com/1251786	external
	https://bugzilla.suse.com/1251787	external
	https://www.suse.com/security/cve/CVE-2025-38476	external
	https://bugzilla.suse.com/1247317	external
	https://bugzilla.suse.com/1251203	external
	https://www.suse.com/security/cve/CVE-2025-38572	external
	https://bugzilla.suse.com/1248399	external
	https://bugzilla.suse.com/1248400	external
	https://www.suse.com/security/cve/CVE-2025-40204	external
	https://bugzilla.suse.com/1253436	external
	https://bugzilla.suse.com/1253437	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel (Live Patch 44 for SUSE Linux Enterprise 15 SP4)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nThis update for the SUSE Linux Enterprise kernel 5.14.21-150400.24.176 fixes various security issues\n\nThe following security issues were fixed:\n\n- CVE-2022-50233: bluetooth: device name can cause reading kernel memory by not supplying terminal \\0 (bsc#1249242).\n- CVE-2022-50327: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value (bsc#1254451).\n- CVE-2022-50409: net: If sock is dead don\u0027t access sock\u0027s sk_wq in sk_stream_wait_memory (bsc#1250665).\n- CVE-2022-50490: bpf: Propagate error from htab_lock_bucket() to userspace (bsc#1251165).\n- CVE-2023-53676: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() (bsc#1251787).\n- CVE-2025-38476: rpl: Fix use-after-free in rpl_do_srh_inline() (bsc#1251203).\n- CVE-2025-38572: ipv6: reject malicious packets in ipv6_gso_segment() (bsc#1248400).\n- CVE-2025-40204: sctp: Fix MAC comparison to be constant-time (bsc#1253437).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-176,SUSE-SLE-Module-Live-Patching-15-SP4-2026-176",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0176-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:0176-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260176-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:0176-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-January/023798.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1248400",
        "url": "https://bugzilla.suse.com/1248400"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1249242",
        "url": "https://bugzilla.suse.com/1249242"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1250665",
        "url": "https://bugzilla.suse.com/1250665"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1251165",
        "url": "https://bugzilla.suse.com/1251165"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1251203",
        "url": "https://bugzilla.suse.com/1251203"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1251787",
        "url": "https://bugzilla.suse.com/1251787"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1253437",
        "url": "https://bugzilla.suse.com/1253437"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1254451",
        "url": "https://bugzilla.suse.com/1254451"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-50233 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-50233/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-50327 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-50327/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-50409 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-50409/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-50490 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-50490/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-53676 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-53676/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-38476 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-38476/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-38572 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-38572/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-40204 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-40204/"
      }
    ],
    "title": "Security update for the Linux Kernel (Live Patch 44 for SUSE Linux Enterprise 15 SP4)",
    "tracking": {
      "current_release_date": "2026-01-19T19:03:59Z",
      "generator": {
        "date": "2026-01-19T19:03:59Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:0176-1",
      "initial_release_date": "2026-01-19T19:03:59Z",
      "revision_history": [
        {
          "date": "2026-01-19T19:03:59Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64",
                "product": {
                  "name": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64",
                  "product_id": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 15 SP4",
                  "product_id": "SUSE Linux Enterprise Live Patching 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-live-patching:15:sp4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP4",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le"
        },
        "product_reference": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP4",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x"
        },
        "product_reference": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP4",
          "product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
        },
        "product_reference": "kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-50233",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-50233"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: eir: Fix using strlen with hdev-\u003e{dev_name,short_name}\n\nBoth dev_name and short_name are not guaranteed to be NULL terminated so\nthis instead use strnlen and then attempt to determine if the resulting\nstring needs to be truncated or not.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-50233",
          "url": "https://www.suse.com/security/cve/CVE-2022-50233"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1246968 for CVE-2022-50233",
          "url": "https://bugzilla.suse.com/1246968"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247374 for CVE-2022-50233",
          "url": "https://bugzilla.suse.com/1247374"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1249242 for CVE-2022-50233",
          "url": "https://bugzilla.suse.com/1249242"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-19T19:03:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-50233"
    },
    {
      "cve": "CVE-2022-50327",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-50327"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: idle: Check acpi_fetch_acpi_dev() return value\n\nThe return value of acpi_fetch_acpi_dev() could be NULL, which would\ncause a NULL pointer dereference to occur in acpi_device_hid().\n\n[ rjw: Subject and changelog edits, added empty line after if () ]",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-50327",
          "url": "https://www.suse.com/security/cve/CVE-2022-50327"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1249859 for CVE-2022-50327",
          "url": "https://bugzilla.suse.com/1249859"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1254451 for CVE-2022-50327",
          "url": "https://bugzilla.suse.com/1254451"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-19T19:03:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-50327"
    },
    {
      "cve": "CVE-2022-50409",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-50409"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: If sock is dead don\u0027t access sock\u0027s sk_wq in sk_stream_wait_memory\n\nFixes the below NULL pointer dereference:\n\n  [...]\n  [   14.471200] Call Trace:\n  [   14.471562]  \u003cTASK\u003e\n  [   14.471882]  lock_acquire+0x245/0x2e0\n  [   14.472416]  ? remove_wait_queue+0x12/0x50\n  [   14.473014]  ? _raw_spin_lock_irqsave+0x17/0x50\n  [   14.473681]  _raw_spin_lock_irqsave+0x3d/0x50\n  [   14.474318]  ? remove_wait_queue+0x12/0x50\n  [   14.474907]  remove_wait_queue+0x12/0x50\n  [   14.475480]  sk_stream_wait_memory+0x20d/0x340\n  [   14.476127]  ? do_wait_intr_irq+0x80/0x80\n  [   14.476704]  do_tcp_sendpages+0x287/0x600\n  [   14.477283]  tcp_bpf_push+0xab/0x260\n  [   14.477817]  tcp_bpf_sendmsg_redir+0x297/0x500\n  [   14.478461]  ? __local_bh_enable_ip+0x77/0xe0\n  [   14.479096]  tcp_bpf_send_verdict+0x105/0x470\n  [   14.479729]  tcp_bpf_sendmsg+0x318/0x4f0\n  [   14.480311]  sock_sendmsg+0x2d/0x40\n  [   14.480822]  ____sys_sendmsg+0x1b4/0x1c0\n  [   14.481390]  ? copy_msghdr_from_user+0x62/0x80\n  [   14.482048]  ___sys_sendmsg+0x78/0xb0\n  [   14.482580]  ? vmf_insert_pfn_prot+0x91/0x150\n  [   14.483215]  ? __do_fault+0x2a/0x1a0\n  [   14.483738]  ? do_fault+0x15e/0x5d0\n  [   14.484246]  ? __handle_mm_fault+0x56b/0x1040\n  [   14.484874]  ? lock_is_held_type+0xdf/0x130\n  [   14.485474]  ? find_held_lock+0x2d/0x90\n  [   14.486046]  ? __sys_sendmsg+0x41/0x70\n  [   14.486587]  __sys_sendmsg+0x41/0x70\n  [   14.487105]  ? intel_pmu_drain_pebs_core+0x350/0x350\n  [   14.487822]  do_syscall_64+0x34/0x80\n  [   14.488345]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  [...]\n\nThe test scenario has the following flow:\n\nthread1                               thread2\n-----------                           ---------------\n tcp_bpf_sendmsg\n  tcp_bpf_send_verdict\n   tcp_bpf_sendmsg_redir              sock_close\n    tcp_bpf_push_locked                 __sock_release\n     tcp_bpf_push                         //inet_release\n      do_tcp_sendpages                    sock-\u003eops-\u003erelease\n       sk_stream_wait_memory          \t   // tcp_close\n          sk_wait_event                      sk-\u003esk_prot-\u003eclose\n           release_sock(__sk);\n            ***\n                                                lock_sock(sk);\n                                                  __tcp_close\n                                                    sock_orphan(sk)\n                                                      sk-\u003esk_wq  = NULL\n                                                release_sock\n            ****\n           lock_sock(__sk);\n          remove_wait_queue(sk_sleep(sk), \u0026wait);\n             sk_sleep(sk)\n             //NULL pointer dereference\n             \u0026rcu_dereference_raw(sk-\u003esk_wq)-\u003ewait\n\nWhile waiting for memory in thread1, the socket is released with its wait\nqueue because thread2 has closed it. This caused by tcp_bpf_send_verdict\ndidn\u0027t increase the f_count of psock-\u003esk_redir-\u003esk_socket-\u003efile in thread1.\n\nWe should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory\nbefore accessing the wait queue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-50409",
          "url": "https://www.suse.com/security/cve/CVE-2022-50409"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247374 for CVE-2022-50409",
          "url": "https://bugzilla.suse.com/1247374"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1250392 for CVE-2022-50409",
          "url": "https://bugzilla.suse.com/1250392"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1250665 for CVE-2022-50409",
          "url": "https://bugzilla.suse.com/1250665"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-19T19:03:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-50409"
    },
    {
      "cve": "CVE-2022-50490",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-50490"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Propagate error from htab_lock_bucket() to userspace\n\nIn __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns\n-EBUSY, it will go to next bucket. Going to next bucket may not only\nskip the elements in current bucket silently, but also incur\nout-of-bound memory access or expose kernel memory to userspace if\ncurrent bucket_cnt is greater than bucket_size or zero.\n\nFixing it by stopping batch operation and returning -EBUSY when\nhtab_lock_bucket() fails, and the application can retry or skip the busy\nbatch as needed.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-50490",
          "url": "https://www.suse.com/security/cve/CVE-2022-50490"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251164 for CVE-2022-50490",
          "url": "https://bugzilla.suse.com/1251164"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251165 for CVE-2022-50490",
          "url": "https://bugzilla.suse.com/1251165"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-19T19:03:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-50490"
    },
    {
      "cve": "CVE-2023-53676",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-53676"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()\n\nThe function lio_target_nacl_info_show() uses sprintf() in a loop to print\ndetails for every iSCSI connection in a session without checking for the\nbuffer length. With enough iSCSI connections it\u0027s possible to overflow the\nbuffer provided by configfs and corrupt the memory.\n\nThis patch replaces sprintf() with sysfs_emit_at() that checks for buffer\nboundries.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-53676",
          "url": "https://www.suse.com/security/cve/CVE-2023-53676"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251786 for CVE-2023-53676",
          "url": "https://bugzilla.suse.com/1251786"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251787 for CVE-2023-53676",
          "url": "https://bugzilla.suse.com/1251787"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-19T19:03:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-53676"
    },
    {
      "cve": "CVE-2025-38476",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-38476"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpl: Fix use-after-free in rpl_do_srh_inline().\n\nRunning lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers\nthe splat below [0].\n\nrpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after\nskb_cow_head(), which is illegal as the header could be freed then.\n\nLet\u0027s fix it by making oldhdr to a local struct instead of a pointer.\n\n[0]:\n[root@fedora net]# ./lwt_dst_cache_ref_loop.sh\n...\nTEST: rpl (input)\n[   57.631529] ==================================================================\nBUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\nRead of size 40 at addr ffff888122bf96d8 by task ping6/1543\n\nCPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))\n __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))\n rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\n rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)\n lwtunnel_input (net/core/lwtunnel.c:459)\n ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))\n __netif_receive_skb_one_core (net/core/dev.c:5967)\n process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)\n __napi_poll.constprop.0 (net/core/dev.c:7452)\n net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480 (discriminator 20))\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip (kernel/softirq.c:407)\n __dev_queue_xmit (net/core/dev.c:4740)\n ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)\n ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)\n ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)\n ip6_send_skb (net/ipv6/ip6_output.c:1983)\n rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)\n __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2231)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f68cffb2a06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 \u003c48\u003e 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06\nRDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003\nRBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4\nR13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0\n \u003c/TASK\u003e\n\nAllocated by task 1543:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\n kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)\n kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))\n __alloc_skb (net/core/skbuff.c:669)\n __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))\n ip6_\n---truncated---",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-38476",
          "url": "https://www.suse.com/security/cve/CVE-2025-38476"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1247317 for CVE-2025-38476",
          "url": "https://bugzilla.suse.com/1247317"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251203 for CVE-2025-38476",
          "url": "https://bugzilla.suse.com/1251203"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-19T19:03:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-38476"
    },
    {
      "cve": "CVE-2025-38572",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-38572"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: reject malicious packets in ipv6_gso_segment()\n\nsyzbot was able to craft a packet with very long IPv6 extension headers\nleading to an overflow of skb-\u003etransport_header.\n\nThis 16bit field has a limited range.\n\nAdd skb_reset_transport_header_careful() helper and use it\nfrom ipv6_gso_segment()\n\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nModules linked in:\nCPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\n RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nCall Trace:\n \u003cTASK\u003e\n  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n  nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110\n  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n  __skb_gso_segment+0x342/0x510 net/core/gso.c:124\n  skb_gso_segment include/net/gso.h:83 [inline]\n  validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950\n  validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000\n  sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329\n  __dev_xmit_skb net/core/dev.c:4102 [inline]\n  __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-38572",
          "url": "https://www.suse.com/security/cve/CVE-2025-38572"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1248399 for CVE-2025-38572",
          "url": "https://bugzilla.suse.com/1248399"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1248400 for CVE-2025-38572",
          "url": "https://bugzilla.suse.com/1248400"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-19T19:03:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-38572"
    },
    {
      "cve": "CVE-2025-40204",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-40204"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
          "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-40204",
          "url": "https://www.suse.com/security/cve/CVE-2025-40204"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1253436 for CVE-2025-40204",
          "url": "https://bugzilla.suse.com/1253436"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1253437 for CVE-2025-40204",
          "url": "https://bugzilla.suse.com/1253437"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.s390x",
            "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_176-default-6-150400.2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-19T19:03:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-40204"
    }
  ]
}

CVE-2022-50233 (GCVE-0-2022-50233)

Vulnerability from cvelistv5 – Published: 2025-08-09 14:30 – Updated: 2025-10-29 10:50

Title

Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name}

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name} Both dev_name and short_name are not guaranteed to be NULL terminated so this instead use strnlen and then attempt to determine if the resulting string needs to be truncated or not.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

https://git.kernel.org/stable/c/dd7b8cdde098cf9f7…

Impacted products

Vendor

Product

Version

Affected: 4c3dbb2c312c9fafbac30d98c523b8b1f3455d78 , < dd7b8cdde098cf9f7c8de409b5b7bbb98f97be80 (git)

Affected: 4.14
Unaffected: 0 , < 4.14 (semver)
Unaffected: 6.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/eir.c",
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dd7b8cdde098cf9f7c8de409b5b7bbb98f97be80",
              "status": "affected",
              "version": "4c3dbb2c312c9fafbac30d98c523b8b1f3455d78",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/eir.c",
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.14"
            },
            {
              "lessThan": "4.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "4.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: eir: Fix using strlen with hdev-\u003e{dev_name,short_name}\n\nBoth dev_name and short_name are not guaranteed to be NULL terminated so\nthis instead use strnlen and then attempt to determine if the resulting\nstring needs to be truncated or not."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T10:50:07.782Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dd7b8cdde098cf9f7c8de409b5b7bbb98f97be80"
        }
      ],
      "title": "Bluetooth: eir: Fix using strlen with hdev-\u003e{dev_name,short_name}",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50233",
    "datePublished": "2025-08-09T14:30:51.639Z",
    "dateReserved": "2025-06-18T10:57:27.432Z",
    "dateUpdated": "2025-10-29T10:50:07.782Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-38476 (GCVE-0-2025-38476)

Vulnerability from cvelistv5 – Published: 2025-07-28 11:21 – Updated: 2025-11-03 17:38

Title

rpl: Fix use-after-free in rpl_do_srh_inline().

Summary

In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers the splat below [0]. rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after skb_cow_head(), which is illegal as the header could be freed then. Let's fix it by making oldhdr to a local struct instead of a pointer. [0]: [root@fedora net]# ./lwt_dst_cache_ref_loop.sh ... TEST: rpl (input) [ 57.631529] ================================================================== BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) Read of size 40 at addr ffff888122bf96d8 by task ping6/1543 CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636) kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1)) __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2)) rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282) lwtunnel_input (net/core/lwtunnel.c:459) ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1)) __netif_receive_skb_one_core (net/core/dev.c:5967) process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440) __napi_poll.constprop.0 (net/core/dev.c:7452) net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480 (discriminator 20)) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:407) __dev_queue_xmit (net/core/dev.c:4740) ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141) ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226) ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248) ip6_send_skb (net/ipv6/ip6_output.c:1983) rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918) __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) __x64_sys_sendto (net/socket.c:2231) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f68cffb2a06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06 RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003 RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4 R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0 </TASK> Allocated by task 1543: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249) kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88)) __alloc_skb (net/core/skbuff.c:669) __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1)) ip6_ ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c09e21dfc08d8afb9…
	https://git.kernel.org/stable/c/8ba6c2362b85089b8…
	https://git.kernel.org/stable/c/e8101506ab86dd78f…
	https://git.kernel.org/stable/c/62dcd9d6e61c39122…
	https://git.kernel.org/stable/c/06ec83b6c792fde1f…
	https://git.kernel.org/stable/c/034b428aa3583373a…
	https://git.kernel.org/stable/c/b640daa2822a39ff7…

Impacted products

Vendor

Product

Version

Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < c09e21dfc08d8afb92d9ea3bee3457adbe3ef297 (git)
Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < 8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc (git)
Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < e8101506ab86dd78f823b7028f2036a380f3a12a (git)
Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < 62dcd9d6e61c39122d2f251a26829e2e55b0a11d (git)
Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < 06ec83b6c792fde1f710c1de3e836da6e257c4c4 (git)
Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < 034b428aa3583373a5a20b1c5931bb2b3cae1f36 (git)
Affected: a7a29f9c361f8542604ef959ae6627f423b7a412 , < b640daa2822a39ff76e70200cb2b7b892b896dce (git)

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.147 , ≤ 6.1.* (semver)
Unaffected: 6.6.100 , ≤ 6.6.* (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.15.8 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:38:42.878Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/rpl_iptunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c09e21dfc08d8afb92d9ea3bee3457adbe3ef297",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "e8101506ab86dd78f823b7028f2036a380f3a12a",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "62dcd9d6e61c39122d2f251a26829e2e55b0a11d",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "06ec83b6c792fde1f710c1de3e836da6e257c4c4",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "034b428aa3583373a5a20b1c5931bb2b3cae1f36",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            },
            {
              "lessThan": "b640daa2822a39ff76e70200cb2b7b892b896dce",
              "status": "affected",
              "version": "a7a29f9c361f8542604ef959ae6627f423b7a412",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/rpl_iptunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.147",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.100",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.147",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.100",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.8",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpl: Fix use-after-free in rpl_do_srh_inline().\n\nRunning lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers\nthe splat below [0].\n\nrpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after\nskb_cow_head(), which is illegal as the header could be freed then.\n\nLet\u0027s fix it by making oldhdr to a local struct instead of a pointer.\n\n[0]:\n[root@fedora net]# ./lwt_dst_cache_ref_loop.sh\n...\nTEST: rpl (input)\n[   57.631529] ==================================================================\nBUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\nRead of size 40 at addr ffff888122bf96d8 by task ping6/1543\n\nCPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:122)\n print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)\n kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636)\n kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))\n __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2))\n rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174)\n rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282)\n lwtunnel_input (net/core/lwtunnel.c:459)\n ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1))\n __netif_receive_skb_one_core (net/core/dev.c:5967)\n process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440)\n __napi_poll.constprop.0 (net/core/dev.c:7452)\n net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643)\n handle_softirqs (kernel/softirq.c:579)\n do_softirq (kernel/softirq.c:480 (discriminator 20))\n \u003c/IRQ\u003e\n \u003cTASK\u003e\n __local_bh_enable_ip (kernel/softirq.c:407)\n __dev_queue_xmit (net/core/dev.c:4740)\n ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141)\n ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226)\n ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248)\n ip6_send_skb (net/ipv6/ip6_output.c:1983)\n rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918)\n __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1))\n __x64_sys_sendto (net/socket.c:2231)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\nRIP: 0033:0x7f68cffb2a06\nCode: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 \u003c48\u003e 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08\nRSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06\nRDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003\nRBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c\nR10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4\nR13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0\n \u003c/TASK\u003e\n\nAllocated by task 1543:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))\n __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345)\n kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)\n kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88))\n __alloc_skb (net/core/skbuff.c:669)\n __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1))\n ip6_\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-28T14:43:12.901Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c09e21dfc08d8afb92d9ea3bee3457adbe3ef297"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ba6c2362b85089b8972ac5f20b24fc71a4b8ffc"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8101506ab86dd78f823b7028f2036a380f3a12a"
        },
        {
          "url": "https://git.kernel.org/stable/c/62dcd9d6e61c39122d2f251a26829e2e55b0a11d"
        },
        {
          "url": "https://git.kernel.org/stable/c/06ec83b6c792fde1f710c1de3e836da6e257c4c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/034b428aa3583373a5a20b1c5931bb2b3cae1f36"
        },
        {
          "url": "https://git.kernel.org/stable/c/b640daa2822a39ff76e70200cb2b7b892b896dce"
        }
      ],
      "title": "rpl: Fix use-after-free in rpl_do_srh_inline().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38476",
    "datePublished": "2025-07-28T11:21:37.175Z",
    "dateReserved": "2025-04-16T04:51:24.021Z",
    "dateUpdated": "2025-11-03T17:38:42.878Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38572 (GCVE-0-2025-38572)

Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2025-11-03 17:39

Title

ipv6: reject malicious packets in ipv6_gso_segment()

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Call Trace: <TASK> skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 __skb_gso_segment+0x342/0x510 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 __dev_xmit_skb net/core/dev.c:4102 [inline] __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5dc60b2a00ed76292…
	https://git.kernel.org/stable/c/3f638e0b28bde7c33…
	https://git.kernel.org/stable/c/09ff062b89d8e4816…
	https://git.kernel.org/stable/c/de322cdf600fc9433…
	https://git.kernel.org/stable/c/ef05007b403dcc21e…
	https://git.kernel.org/stable/c/5489e7fc6f8be3062…
	https://git.kernel.org/stable/c/573b8250fc2554761…
	https://git.kernel.org/stable/c/ee851768e4b8371ce…
	https://git.kernel.org/stable/c/d45cf1e7d7180256e…

Impacted products

Vendor

Product

Version

Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 5dc60b2a00ed7629214ac0c48e43f40af2078703 (git)
Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 3f638e0b28bde7c3354a0df938ab3a96739455d1 (git)
Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 09ff062b89d8e48165247d677d1ca23d6d607e9b (git)
Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < de322cdf600fc9433845a9e944d1ca6b31cfb67e (git)
Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < ef05007b403dcc21e701cb1f30d4572ac0a9da20 (git)
Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 5489e7fc6f8be3062f8cb7e49406de4bfd94db67 (git)
Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < 573b8250fc2554761db3bc2bbdbab23789d52d4e (git)
Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < ee851768e4b8371ce151fd446d24bf3ae2d18789 (git)
Affected: d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 , < d45cf1e7d7180256e17c9ce88e32e8061a7887fe (git)

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.1.148 , ≤ 6.1.* (semver)
Unaffected: 6.6.102 , ≤ 6.6.* (semver)
Unaffected: 6.12.42 , ≤ 6.12.* (semver)
Unaffected: 6.15.10 , ≤ 6.15.* (semver)
Unaffected: 6.16.1 , ≤ 6.16.* (semver)
Unaffected: 6.17 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:39:59.107Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/skbuff.h",
            "net/ipv6/ip6_offload.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5dc60b2a00ed7629214ac0c48e43f40af2078703",
              "status": "affected",
              "version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
              "versionType": "git"
            },
            {
              "lessThan": "3f638e0b28bde7c3354a0df938ab3a96739455d1",
              "status": "affected",
              "version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
              "versionType": "git"
            },
            {
              "lessThan": "09ff062b89d8e48165247d677d1ca23d6d607e9b",
              "status": "affected",
              "version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
              "versionType": "git"
            },
            {
              "lessThan": "de322cdf600fc9433845a9e944d1ca6b31cfb67e",
              "status": "affected",
              "version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
              "versionType": "git"
            },
            {
              "lessThan": "ef05007b403dcc21e701cb1f30d4572ac0a9da20",
              "status": "affected",
              "version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
              "versionType": "git"
            },
            {
              "lessThan": "5489e7fc6f8be3062f8cb7e49406de4bfd94db67",
              "status": "affected",
              "version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
              "versionType": "git"
            },
            {
              "lessThan": "573b8250fc2554761db3bc2bbdbab23789d52d4e",
              "status": "affected",
              "version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
              "versionType": "git"
            },
            {
              "lessThan": "ee851768e4b8371ce151fd446d24bf3ae2d18789",
              "status": "affected",
              "version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
              "versionType": "git"
            },
            {
              "lessThan": "d45cf1e7d7180256e17c9ce88e32e8061a7887fe",
              "status": "affected",
              "version": "d1da932ed4ecad2a14cbcc01ed589d617d0f0f09",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/skbuff.h",
            "net/ipv6/ip6_offload.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.102",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.42",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.16.*",
              "status": "unaffected",
              "version": "6.16.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.148",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.102",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.42",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.10",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16.1",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: reject malicious packets in ipv6_gso_segment()\n\nsyzbot was able to craft a packet with very long IPv6 extension headers\nleading to an overflow of skb-\u003etransport_header.\n\nThis 16bit field has a limited range.\n\nAdd skb_reset_transport_header_careful() helper and use it\nfrom ipv6_gso_segment()\n\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\nWARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nModules linked in:\nCPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025\n RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline]\n RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151\nCall Trace:\n \u003cTASK\u003e\n  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n  nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110\n  skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53\n  __skb_gso_segment+0x342/0x510 net/core/gso.c:124\n  skb_gso_segment include/net/gso.h:83 [inline]\n  validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950\n  validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000\n  sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329\n  __dev_xmit_skb net/core/dev.c:4102 [inline]\n  __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-29T05:54:03.372Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5dc60b2a00ed7629214ac0c48e43f40af2078703"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f638e0b28bde7c3354a0df938ab3a96739455d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/09ff062b89d8e48165247d677d1ca23d6d607e9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/de322cdf600fc9433845a9e944d1ca6b31cfb67e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef05007b403dcc21e701cb1f30d4572ac0a9da20"
        },
        {
          "url": "https://git.kernel.org/stable/c/5489e7fc6f8be3062f8cb7e49406de4bfd94db67"
        },
        {
          "url": "https://git.kernel.org/stable/c/573b8250fc2554761db3bc2bbdbab23789d52d4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee851768e4b8371ce151fd446d24bf3ae2d18789"
        },
        {
          "url": "https://git.kernel.org/stable/c/d45cf1e7d7180256e17c9ce88e32e8061a7887fe"
        }
      ],
      "title": "ipv6: reject malicious packets in ipv6_gso_segment()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38572",
    "datePublished": "2025-08-19T17:02:52.340Z",
    "dateReserved": "2025-04-16T04:51:24.025Z",
    "dateUpdated": "2025-11-03T17:39:59.107Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50409 (GCVE-0-2022-50409)

Vulnerability from cvelistv5 – Published: 2025-09-18 16:03 – Updated: 2025-12-23 13:29

Title

net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory

Summary

In the Linux kernel, the following vulnerability has been resolved: net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Fixes the below NULL pointer dereference: [...] [ 14.471200] Call Trace: [ 14.471562] <TASK> [ 14.471882] lock_acquire+0x245/0x2e0 [ 14.472416] ? remove_wait_queue+0x12/0x50 [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50 [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50 [ 14.474318] ? remove_wait_queue+0x12/0x50 [ 14.474907] remove_wait_queue+0x12/0x50 [ 14.475480] sk_stream_wait_memory+0x20d/0x340 [ 14.476127] ? do_wait_intr_irq+0x80/0x80 [ 14.476704] do_tcp_sendpages+0x287/0x600 [ 14.477283] tcp_bpf_push+0xab/0x260 [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500 [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0 [ 14.479096] tcp_bpf_send_verdict+0x105/0x470 [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0 [ 14.480311] sock_sendmsg+0x2d/0x40 [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0 [ 14.481390] ? copy_msghdr_from_user+0x62/0x80 [ 14.482048] ___sys_sendmsg+0x78/0xb0 [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150 [ 14.483215] ? __do_fault+0x2a/0x1a0 [ 14.483738] ? do_fault+0x15e/0x5d0 [ 14.484246] ? __handle_mm_fault+0x56b/0x1040 [ 14.484874] ? lock_is_held_type+0xdf/0x130 [ 14.485474] ? find_held_lock+0x2d/0x90 [ 14.486046] ? __sys_sendmsg+0x41/0x70 [ 14.486587] __sys_sendmsg+0x41/0x70 [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350 [ 14.487822] do_syscall_64+0x34/0x80 [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] The test scenario has the following flow: thread1 thread2 ----------- --------------- tcp_bpf_sendmsg tcp_bpf_send_verdict tcp_bpf_sendmsg_redir sock_close tcp_bpf_push_locked __sock_release tcp_bpf_push //inet_release do_tcp_sendpages sock->ops->release sk_stream_wait_memory // tcp_close sk_wait_event sk->sk_prot->close release_sock(__sk); *** lock_sock(sk); __tcp_close sock_orphan(sk) sk->sk_wq = NULL release_sock **** lock_sock(__sk); remove_wait_queue(sk_sleep(sk), &wait); sk_sleep(sk) //NULL pointer dereference &rcu_dereference_raw(sk->sk_wq)->wait While waiting for memory in thread1, the socket is released with its wait queue because thread2 has closed it. This caused by tcp_bpf_send_verdict didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1. We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory before accessing the wait queue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a76462dbdd8bddcbe…
	https://git.kernel.org/stable/c/65029aaedd15d9fe5…
	https://git.kernel.org/stable/c/124b7c773271f06af…
	https://git.kernel.org/stable/c/35f5e70bdfa743276…
	https://git.kernel.org/stable/c/435f5aa4421782af1…
	https://git.kernel.org/stable/c/3f8ef65af927db247…

Impacted products

Vendor

Product

Version

Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < a76462dbdd8bddcbeec9463bc9e54e509b860762 (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 65029aaedd15d9fe5ea1a899134e236d83f627bb (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 124b7c773271f06af5a2cea694b283cdb5275cf5 (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 35f5e70bdfa7432762ac4ffa75e5a7574ac5563e (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 435f5aa4421782af197b98d8525263977be4af5c (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 3f8ef65af927db247418d4e1db49164d7a158fc5 (git)

Affected: 4.20
Unaffected: 0 , < 4.20 (semver)
Unaffected: 5.4.220 , ≤ 5.4.* (semver)
Unaffected: 5.10.150 , ≤ 5.10.* (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/stream.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a76462dbdd8bddcbeec9463bc9e54e509b860762",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "65029aaedd15d9fe5ea1a899134e236d83f627bb",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "124b7c773271f06af5a2cea694b283cdb5275cf5",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "35f5e70bdfa7432762ac4ffa75e5a7574ac5563e",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "435f5aa4421782af197b98d8525263977be4af5c",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            },
            {
              "lessThan": "3f8ef65af927db247418d4e1db49164d7a158fc5",
              "status": "affected",
              "version": "604326b41a6fb9b4a78b6179335decee0365cd8c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/stream.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.220",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.150",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.220",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.150",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: If sock is dead don\u0027t access sock\u0027s sk_wq in sk_stream_wait_memory\n\nFixes the below NULL pointer dereference:\n\n  [...]\n  [   14.471200] Call Trace:\n  [   14.471562]  \u003cTASK\u003e\n  [   14.471882]  lock_acquire+0x245/0x2e0\n  [   14.472416]  ? remove_wait_queue+0x12/0x50\n  [   14.473014]  ? _raw_spin_lock_irqsave+0x17/0x50\n  [   14.473681]  _raw_spin_lock_irqsave+0x3d/0x50\n  [   14.474318]  ? remove_wait_queue+0x12/0x50\n  [   14.474907]  remove_wait_queue+0x12/0x50\n  [   14.475480]  sk_stream_wait_memory+0x20d/0x340\n  [   14.476127]  ? do_wait_intr_irq+0x80/0x80\n  [   14.476704]  do_tcp_sendpages+0x287/0x600\n  [   14.477283]  tcp_bpf_push+0xab/0x260\n  [   14.477817]  tcp_bpf_sendmsg_redir+0x297/0x500\n  [   14.478461]  ? __local_bh_enable_ip+0x77/0xe0\n  [   14.479096]  tcp_bpf_send_verdict+0x105/0x470\n  [   14.479729]  tcp_bpf_sendmsg+0x318/0x4f0\n  [   14.480311]  sock_sendmsg+0x2d/0x40\n  [   14.480822]  ____sys_sendmsg+0x1b4/0x1c0\n  [   14.481390]  ? copy_msghdr_from_user+0x62/0x80\n  [   14.482048]  ___sys_sendmsg+0x78/0xb0\n  [   14.482580]  ? vmf_insert_pfn_prot+0x91/0x150\n  [   14.483215]  ? __do_fault+0x2a/0x1a0\n  [   14.483738]  ? do_fault+0x15e/0x5d0\n  [   14.484246]  ? __handle_mm_fault+0x56b/0x1040\n  [   14.484874]  ? lock_is_held_type+0xdf/0x130\n  [   14.485474]  ? find_held_lock+0x2d/0x90\n  [   14.486046]  ? __sys_sendmsg+0x41/0x70\n  [   14.486587]  __sys_sendmsg+0x41/0x70\n  [   14.487105]  ? intel_pmu_drain_pebs_core+0x350/0x350\n  [   14.487822]  do_syscall_64+0x34/0x80\n  [   14.488345]  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n  [...]\n\nThe test scenario has the following flow:\n\nthread1                               thread2\n-----------                           ---------------\n tcp_bpf_sendmsg\n  tcp_bpf_send_verdict\n   tcp_bpf_sendmsg_redir              sock_close\n    tcp_bpf_push_locked                 __sock_release\n     tcp_bpf_push                         //inet_release\n      do_tcp_sendpages                    sock-\u003eops-\u003erelease\n       sk_stream_wait_memory          \t   // tcp_close\n          sk_wait_event                      sk-\u003esk_prot-\u003eclose\n           release_sock(__sk);\n            ***\n                                                lock_sock(sk);\n                                                  __tcp_close\n                                                    sock_orphan(sk)\n                                                      sk-\u003esk_wq  = NULL\n                                                release_sock\n            ****\n           lock_sock(__sk);\n          remove_wait_queue(sk_sleep(sk), \u0026wait);\n             sk_sleep(sk)\n             //NULL pointer dereference\n             \u0026rcu_dereference_raw(sk-\u003esk_wq)-\u003ewait\n\nWhile waiting for memory in thread1, the socket is released with its wait\nqueue because thread2 has closed it. This caused by tcp_bpf_send_verdict\ndidn\u0027t increase the f_count of psock-\u003esk_redir-\u003esk_socket-\u003efile in thread1.\n\nWe should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory\nbefore accessing the wait queue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:29:21.551Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a76462dbdd8bddcbeec9463bc9e54e509b860762"
        },
        {
          "url": "https://git.kernel.org/stable/c/65029aaedd15d9fe5ea1a899134e236d83f627bb"
        },
        {
          "url": "https://git.kernel.org/stable/c/124b7c773271f06af5a2cea694b283cdb5275cf5"
        },
        {
          "url": "https://git.kernel.org/stable/c/35f5e70bdfa7432762ac4ffa75e5a7574ac5563e"
        },
        {
          "url": "https://git.kernel.org/stable/c/435f5aa4421782af197b98d8525263977be4af5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f8ef65af927db247418d4e1db49164d7a158fc5"
        }
      ],
      "title": "net: If sock is dead don\u0027t access sock\u0027s sk_wq in sk_stream_wait_memory",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50409",
    "datePublished": "2025-09-18T16:03:53.902Z",
    "dateReserved": "2025-09-17T14:53:07.001Z",
    "dateUpdated": "2025-12-23T13:29:21.551Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50327 (GCVE-0-2022-50327)

Vulnerability from cvelistv5 – Published: 2025-09-15 14:49 – Updated: 2025-12-23 13:28

Title

ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value

Summary

In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value The return value of acpi_fetch_acpi_dev() could be NULL, which would cause a NULL pointer dereference to occur in acpi_device_hid(). [ rjw: Subject and changelog edits, added empty line after if () ]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8e8b5f12ee4ab6f5d…
	https://git.kernel.org/stable/c/fdee7a0acc566c419…
	https://git.kernel.org/stable/c/ad1190744da9d812d…
	https://git.kernel.org/stable/c/2ecd629c788bbfb96…
	https://git.kernel.org/stable/c/b85f0e292f73f353e…
	https://git.kernel.org/stable/c/2437513a814b3e93b…

Impacted products

Vendor

Product

Version

Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < 8e8b5f12ee4ab6f5d252c9ca062a4ada9554e6d9 (git)
Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < fdee7a0acc566c4194d40a501b8a1584e86cc208 (git)
Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < ad1190744da9d812da55b76f2afce750afb0a3bd (git)
Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < 2ecd629c788bbfb96be058edade2e934d3763eaf (git)
Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < b85f0e292f73f353eea915499604fbf50c8238b4 (git)
Affected: a36a7fecfe6071732075ad5aa31196adce13181b , < 2437513a814b3e93bd02879740a8a06e52e2cf7d (git)

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.297 , ≤ 5.4.* (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.190 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:03.047Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/processor_idle.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8e8b5f12ee4ab6f5d252c9ca062a4ada9554e6d9",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            },
            {
              "lessThan": "fdee7a0acc566c4194d40a501b8a1584e86cc208",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            },
            {
              "lessThan": "ad1190744da9d812da55b76f2afce750afb0a3bd",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            },
            {
              "lessThan": "2ecd629c788bbfb96be058edade2e934d3763eaf",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            },
            {
              "lessThan": "b85f0e292f73f353eea915499604fbf50c8238b4",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            },
            {
              "lessThan": "2437513a814b3e93bd02879740a8a06e52e2cf7d",
              "status": "affected",
              "version": "a36a7fecfe6071732075ad5aa31196adce13181b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/acpi/processor_idle.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.297",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.190",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: idle: Check acpi_fetch_acpi_dev() return value\n\nThe return value of acpi_fetch_acpi_dev() could be NULL, which would\ncause a NULL pointer dereference to occur in acpi_device_hid().\n\n[ rjw: Subject and changelog edits, added empty line after if () ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:28:29.153Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8e8b5f12ee4ab6f5d252c9ca062a4ada9554e6d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/fdee7a0acc566c4194d40a501b8a1584e86cc208"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad1190744da9d812da55b76f2afce750afb0a3bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ecd629c788bbfb96be058edade2e934d3763eaf"
        },
        {
          "url": "https://git.kernel.org/stable/c/b85f0e292f73f353eea915499604fbf50c8238b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/2437513a814b3e93bd02879740a8a06e52e2cf7d"
        }
      ],
      "title": "ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50327",
    "datePublished": "2025-09-15T14:49:26.711Z",
    "dateReserved": "2025-09-15T14:18:36.815Z",
    "dateUpdated": "2025-12-23T13:28:29.153Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-53676 (GCVE-0-2023-53676)

Vulnerability from cvelistv5 – Published: 2025-10-07 15:21 – Updated: 2026-01-05 10:21

Title

scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() The function lio_target_nacl_info_show() uses sprintf() in a loop to print details for every iSCSI connection in a session without checking for the buffer length. With enough iSCSI connections it's possible to overflow the buffer provided by configfs and corrupt the memory. This patch replaces sprintf() with sysfs_emit_at() that checks for buffer boundries.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/df349e84c2cb0dd05…
	https://git.kernel.org/stable/c/114b44dddea1f8f99…
	https://git.kernel.org/stable/c/2cbe6a88fbdd6e8ae…
	https://git.kernel.org/stable/c/bbe3ff47bf09db895…
	https://git.kernel.org/stable/c/5353df78c22623b42…
	https://git.kernel.org/stable/c/4738bf8b2d3635c29…
	https://git.kernel.org/stable/c/0cac6cbb990830935…
	https://git.kernel.org/stable/c/801f287c93ff95582…

Impacted products

Vendor

Product

Version

Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < df349e84c2cb0dd05d98c8e1189c26ab4b116083 (git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 114b44dddea1f8f99576de3c0e6e9059012002fc (git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6 (git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a (git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 5353df78c22623b42a71d51226d228a8413097e2 (git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 4738bf8b2d3635c2944b81b2a84d97b8c8b0978d (git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 0cac6cbb9908309352a5d30c1876882771d3da50 (git)
Affected: e48354ce078c079996f89d715dfa44814b4eba01 , < 801f287c93ff95582b0a2d2163f12870a2f076d4 (git)

Affected: 3.1
Unaffected: 0 , < 3.1 (semver)
Unaffected: 4.14.326 , ≤ 4.14.* (semver)
Unaffected: 4.19.295 , ≤ 4.19.* (semver)
Unaffected: 5.4.257 , ≤ 5.4.* (semver)
Unaffected: 5.10.197 , ≤ 5.10.* (semver)
Unaffected: 5.15.133 , ≤ 5.15.* (semver)
Unaffected: 6.1.55 , ≤ 6.1.* (semver)
Unaffected: 6.5.5 , ≤ 6.5.* (semver)
Unaffected: 6.6 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/target/iscsi/iscsi_target_configfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "df349e84c2cb0dd05d98c8e1189c26ab4b116083",
              "status": "affected",
              "version": "e48354ce078c079996f89d715dfa44814b4eba01",
              "versionType": "git"
            },
            {
              "lessThan": "114b44dddea1f8f99576de3c0e6e9059012002fc",
              "status": "affected",
              "version": "e48354ce078c079996f89d715dfa44814b4eba01",
              "versionType": "git"
            },
            {
              "lessThan": "2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6",
              "status": "affected",
              "version": "e48354ce078c079996f89d715dfa44814b4eba01",
              "versionType": "git"
            },
            {
              "lessThan": "bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a",
              "status": "affected",
              "version": "e48354ce078c079996f89d715dfa44814b4eba01",
              "versionType": "git"
            },
            {
              "lessThan": "5353df78c22623b42a71d51226d228a8413097e2",
              "status": "affected",
              "version": "e48354ce078c079996f89d715dfa44814b4eba01",
              "versionType": "git"
            },
            {
              "lessThan": "4738bf8b2d3635c2944b81b2a84d97b8c8b0978d",
              "status": "affected",
              "version": "e48354ce078c079996f89d715dfa44814b4eba01",
              "versionType": "git"
            },
            {
              "lessThan": "0cac6cbb9908309352a5d30c1876882771d3da50",
              "status": "affected",
              "version": "e48354ce078c079996f89d715dfa44814b4eba01",
              "versionType": "git"
            },
            {
              "lessThan": "801f287c93ff95582b0a2d2163f12870a2f076d4",
              "status": "affected",
              "version": "e48354ce078c079996f89d715dfa44814b4eba01",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/target/iscsi/iscsi_target_configfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.1"
            },
            {
              "lessThan": "3.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.326",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.295",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.257",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.133",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.326",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.295",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.257",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.197",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.133",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.55",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.5",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "versionStartIncluding": "3.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()\n\nThe function lio_target_nacl_info_show() uses sprintf() in a loop to print\ndetails for every iSCSI connection in a session without checking for the\nbuffer length. With enough iSCSI connections it\u0027s possible to overflow the\nbuffer provided by configfs and corrupt the memory.\n\nThis patch replaces sprintf() with sysfs_emit_at() that checks for buffer\nboundries."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:21:49.841Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/df349e84c2cb0dd05d98c8e1189c26ab4b116083"
        },
        {
          "url": "https://git.kernel.org/stable/c/114b44dddea1f8f99576de3c0e6e9059012002fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/2cbe6a88fbdd6e8aeab358eef61472e2de43d6f6"
        },
        {
          "url": "https://git.kernel.org/stable/c/bbe3ff47bf09db8956bc2eeb49d2d514d256ad2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5353df78c22623b42a71d51226d228a8413097e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/4738bf8b2d3635c2944b81b2a84d97b8c8b0978d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0cac6cbb9908309352a5d30c1876882771d3da50"
        },
        {
          "url": "https://git.kernel.org/stable/c/801f287c93ff95582b0a2d2163f12870a2f076d4"
        }
      ],
      "title": "scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53676",
    "datePublished": "2025-10-07T15:21:31.757Z",
    "dateReserved": "2025-10-07T15:16:59.664Z",
    "dateUpdated": "2026-01-05T10:21:49.841Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50490 (GCVE-0-2022-50490)

Vulnerability from cvelistv5 – Published: 2025-10-04 15:43 – Updated: 2025-10-04 15:43

Title

bpf: Propagate error from htab_lock_bucket() to userspace

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Propagate error from htab_lock_bucket() to userspace In __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns -EBUSY, it will go to next bucket. Going to next bucket may not only skip the elements in current bucket silently, but also incur out-of-bound memory access or expose kernel memory to userspace if current bucket_cnt is greater than bucket_size or zero. Fixing it by stopping batch operation and returning -EBUSY when htab_lock_bucket() fails, and the application can retry or skip the busy batch as needed.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0e13425104903970a…
	https://git.kernel.org/stable/c/6bfee6eb3d6b96ae7…
	https://git.kernel.org/stable/c/4f1f39a8f1ce1b24f…
	https://git.kernel.org/stable/c/66a7a92e4d0d091e7…

Impacted products

Vendor

Product

Version

Affected: 20b6cc34ea74b6a84599c1f8a70f3315b56a1883 , < 0e13425104903970a5ede853082d3bbb4edec6f3 (git)
Affected: 20b6cc34ea74b6a84599c1f8a70f3315b56a1883 , < 6bfee6eb3d6b96ae730a542909dd22b5f9f50d58 (git)
Affected: 20b6cc34ea74b6a84599c1f8a70f3315b56a1883 , < 4f1f39a8f1ce1b24fee6852d7dcd704ce7c4334d (git)
Affected: 20b6cc34ea74b6a84599c1f8a70f3315b56a1883 , < 66a7a92e4d0d091e79148a4c6ec15d1da65f4280 (git)

Affected: 5.11
Unaffected: 0 , < 5.11 (semver)
Unaffected: 5.15.75 , ≤ 5.15.* (semver)
Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/hashtab.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0e13425104903970a5ede853082d3bbb4edec6f3",
              "status": "affected",
              "version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
              "versionType": "git"
            },
            {
              "lessThan": "6bfee6eb3d6b96ae730a542909dd22b5f9f50d58",
              "status": "affected",
              "version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
              "versionType": "git"
            },
            {
              "lessThan": "4f1f39a8f1ce1b24fee6852d7dcd704ce7c4334d",
              "status": "affected",
              "version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
              "versionType": "git"
            },
            {
              "lessThan": "66a7a92e4d0d091e79148a4c6ec15d1da65f4280",
              "status": "affected",
              "version": "20b6cc34ea74b6a84599c1f8a70f3315b56a1883",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/hashtab.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.75",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Propagate error from htab_lock_bucket() to userspace\n\nIn __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns\n-EBUSY, it will go to next bucket. Going to next bucket may not only\nskip the elements in current bucket silently, but also incur\nout-of-bound memory access or expose kernel memory to userspace if\ncurrent bucket_cnt is greater than bucket_size or zero.\n\nFixing it by stopping batch operation and returning -EBUSY when\nhtab_lock_bucket() fails, and the application can retry or skip the busy\nbatch as needed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-04T15:43:43.790Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0e13425104903970a5ede853082d3bbb4edec6f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bfee6eb3d6b96ae730a542909dd22b5f9f50d58"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f1f39a8f1ce1b24fee6852d7dcd704ce7c4334d"
        },
        {
          "url": "https://git.kernel.org/stable/c/66a7a92e4d0d091e79148a4c6ec15d1da65f4280"
        }
      ],
      "title": "bpf: Propagate error from htab_lock_bucket() to userspace",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50490",
    "datePublished": "2025-10-04T15:43:43.790Z",
    "dateReserved": "2025-10-04T15:39:19.463Z",
    "dateUpdated": "2025-10-04T15:43:43.790Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40204 (GCVE-0-2025-40204)

Vulnerability from cvelistv5 – Published: 2025-11-12 21:56 – Updated: 2025-12-01 06:20

Title

sctp: Fix MAC comparison to be constant-time

Summary

In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b93fa8dc521d00d2d…
	https://git.kernel.org/stable/c/0e8b8c326c2a6de4d…
	https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62…
	https://git.kernel.org/stable/c/9c05d44ec24126fc2…
	https://git.kernel.org/stable/c/ed3044b9c810c5c24…
	https://git.kernel.org/stable/c/8019b3699289fce3f…
	https://git.kernel.org/stable/c/0b32ff285ff6f6f1a…
	https://git.kernel.org/stable/c/dd91c79e4f58fbe28…

Impacted products

Vendor

Product

Version

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b93fa8dc521d00d2d44bf034fb90e0d79b036617 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0e8b8c326c2a6de4d837b1bb034ea704f4690d77 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9c05d44ec24126fc283835b68f82dba3ae985209 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed3044b9c810c5c24eb2830053fbfe5fd134c5d4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8019b3699289fce3f10b63f98601db97b8d105b0 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b32ff285ff6f6f1ac1d9495787ccce8837d6405 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dd91c79e4f58fbe2898dac84858033700e0e99fb (git)

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.301 , ≤ 5.4.* (semver)
Unaffected: 5.10.246 , ≤ 5.10.* (semver)
Unaffected: 5.15.195 , ≤ 5.15.* (semver)
Unaffected: 6.1.157 , ≤ 6.1.* (semver)
Unaffected: 6.6.113 , ≤ 6.6.* (semver)
Unaffected: 6.12.54 , ≤ 6.12.* (semver)
Unaffected: 6.17.4 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sm_make_chunk.c",
            "net/sctp/sm_statefuns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b93fa8dc521d00d2d44bf034fb90e0d79b036617",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0e8b8c326c2a6de4d837b1bb034ea704f4690d77",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9c05d44ec24126fc283835b68f82dba3ae985209",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ed3044b9c810c5c24eb2830053fbfe5fd134c5d4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8019b3699289fce3f10b63f98601db97b8d105b0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0b32ff285ff6f6f1ac1d9495787ccce8837d6405",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dd91c79e4f58fbe2898dac84858033700e0e99fb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sctp/sm_make_chunk.c",
            "net/sctp/sm_statefuns.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.301",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.246",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.195",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.157",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.54",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.301",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.246",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.195",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.157",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.113",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.54",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: Fix MAC comparison to be constant-time\n\nTo prevent timing attacks, MACs need to be compared in constant time.\nUse the appropriate helper function for this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-01T06:20:07.600Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b93fa8dc521d00d2d44bf034fb90e0d79b036617"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e8b8c326c2a6de4d837b1bb034ea704f4690d77"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cd60e0d0fb8f0e62ec4499138afce6342dc9d4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c05d44ec24126fc283835b68f82dba3ae985209"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed3044b9c810c5c24eb2830053fbfe5fd134c5d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/8019b3699289fce3f10b63f98601db97b8d105b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b32ff285ff6f6f1ac1d9495787ccce8837d6405"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd91c79e4f58fbe2898dac84858033700e0e99fb"
        }
      ],
      "title": "sctp: Fix MAC comparison to be constant-time",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40204",
    "datePublished": "2025-11-12T21:56:35.110Z",
    "dateReserved": "2025-04-16T07:20:57.179Z",
    "dateUpdated": "2025-12-01T06:20:07.600Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.