SUSE-SU-2026:0964-1 - Vulnerability-Lookup

SUSE-SU-2026:0964-1

Vulnerability from csaf_suse - Published: 2026-03-23 13:05 - Updated: 2026-03-23 13:05

Summary

Security update for the Linux Kernel (Live Patch 75 for SUSE Linux Enterprise 12 SP5)

Severity

Important

Notes

Title of the patch: Security update for the Linux Kernel (Live Patch 75 for SUSE Linux Enterprise 12 SP5)

Description of the patch: This update for the SUSE Linux Enterprise Kernel 4.12.14-122.283 fixes various security issues The following security issues were fixed: - CVE-2022-50697: mrp: introduce active flags to prevent UAF when applicant uninit (bsc#1255595). - CVE-2022-50756: nvme-pci: fix mempool alloc size (bsc#1256217). - CVE-2023-53781: smc: Fix use-after-free in tcp_write_timer_handler() (bsc#1254755). - CVE-2025-21738: ata: libata-sff: ensure that we cannot write outside the allocated buffer (bsc#1257118). - CVE-2025-68285: libceph: fix potential use-after-free in have_mon_and_osd_map() (bsc#1255402). - CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path (bsc#1256644). - CVE-2025-71085: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (bsc#1256624).

Patchnames: SUSE-2026-964,SUSE-SLE-Live-Patching-12-SP5-2026-964

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2022-50697

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2022-50756

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2023-53781

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2025-21738

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2025-68285

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2025-68813

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2025-71085

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/s…	self
	https://www.suse.com/support/update/announcement/…	self
	https://lists.suse.com/pipermail/sle-security-upd…	self
	https://bugzilla.suse.com/1254755	self
	https://bugzilla.suse.com/1255402	self
	https://bugzilla.suse.com/1255595	self
	https://bugzilla.suse.com/1256217	self
	https://bugzilla.suse.com/1256624	self
	https://bugzilla.suse.com/1256644	self
	https://bugzilla.suse.com/1257118	self
	https://www.suse.com/security/cve/CVE-2022-50697/	self
	https://www.suse.com/security/cve/CVE-2022-50756/	self
	https://www.suse.com/security/cve/CVE-2023-53781/	self
	https://www.suse.com/security/cve/CVE-2025-21738/	self
	https://www.suse.com/security/cve/CVE-2025-68285/	self
	https://www.suse.com/security/cve/CVE-2025-68813/	self
	https://www.suse.com/security/cve/CVE-2025-71085/	self
	https://www.suse.com/security/cve/CVE-2022-50697	external
	https://bugzilla.suse.com/1255594	external
	https://bugzilla.suse.com/1255595	external
	https://www.suse.com/security/cve/CVE-2022-50756	external
	https://bugzilla.suse.com/1256216	external
	https://bugzilla.suse.com/1256217	external
	https://www.suse.com/security/cve/CVE-2023-53781	external
	https://bugzilla.suse.com/1254751	external
	https://bugzilla.suse.com/1254755	external
	https://www.suse.com/security/cve/CVE-2025-21738	external
	https://bugzilla.suse.com/1238917	external
	https://bugzilla.suse.com/1257118	external
	https://www.suse.com/security/cve/CVE-2025-68285	external
	https://bugzilla.suse.com/1255401	external
	https://bugzilla.suse.com/1255402	external
	https://www.suse.com/security/cve/CVE-2025-68813	external
	https://bugzilla.suse.com/1256641	external
	https://bugzilla.suse.com/1256644	external
	https://www.suse.com/security/cve/CVE-2025-71085	external
	https://bugzilla.suse.com/1256623	external
	https://bugzilla.suse.com/1256624	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for the Linux Kernel (Live Patch 75 for SUSE Linux Enterprise 12 SP5)",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nThis update for the SUSE Linux Enterprise Kernel 4.12.14-122.283 fixes various security issues\n\nThe following security issues were fixed:\n\n- CVE-2022-50697: mrp: introduce active flags to prevent UAF when applicant uninit (bsc#1255595).\n- CVE-2022-50756: nvme-pci: fix mempool alloc size (bsc#1256217).\n- CVE-2023-53781: smc: Fix use-after-free in tcp_write_timer_handler() (bsc#1254755).\n- CVE-2025-21738: ata: libata-sff: ensure that we cannot write outside the allocated buffer (bsc#1257118).\n- CVE-2025-68285: libceph: fix potential use-after-free in have_mon_and_osd_map() (bsc#1255402).\n- CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path (bsc#1256644).\n- CVE-2025-71085: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (bsc#1256624).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-964,SUSE-SLE-Live-Patching-12-SP5-2026-964",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0964-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:0964-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260964-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:0964-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024809.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1254755",
        "url": "https://bugzilla.suse.com/1254755"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1255402",
        "url": "https://bugzilla.suse.com/1255402"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1255595",
        "url": "https://bugzilla.suse.com/1255595"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256217",
        "url": "https://bugzilla.suse.com/1256217"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256624",
        "url": "https://bugzilla.suse.com/1256624"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256644",
        "url": "https://bugzilla.suse.com/1256644"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1257118",
        "url": "https://bugzilla.suse.com/1257118"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-50697 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-50697/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-50756 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-50756/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-53781 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-53781/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-21738 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-21738/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-68285 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-68285/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-68813 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-68813/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-71085 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-71085/"
      }
    ],
    "title": "Security update for the Linux Kernel (Live Patch 75 for SUSE Linux Enterprise 12 SP5)",
    "tracking": {
      "current_release_date": "2026-03-23T13:05:59Z",
      "generator": {
        "date": "2026-03-23T13:05:59Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:0964-1",
      "initial_release_date": "2026-03-23T13:05:59Z",
      "revision_history": [
        {
          "date": "2026-03-23T13:05:59Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
                "product": {
                  "name": "kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
                  "product_id": "kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
                "product": {
                  "name": "kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
                  "product_id": "kgraft-patch-4_12_14-122_283-default-3-2.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64",
                "product": {
                  "name": "kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64",
                  "product_id": "kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Live Patching 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Live Patching 12 SP5",
                  "product_id": "SUSE Linux Enterprise Live Patching 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-live-patching:12:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 12 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le"
        },
        "product_reference": "kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kgraft-patch-4_12_14-122_283-default-3-2.1.s390x as component of SUSE Linux Enterprise Live Patching 12 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x"
        },
        "product_reference": "kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 12 SP5",
          "product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
        },
        "product_reference": "kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-50697",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-50697"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nmrp: introduce active flags to prevent UAF when applicant uninit\n\nThe caller of del_timer_sync must prevent restarting of the timer, If\nwe have no this synchronization, there is a small probability that the\ncancellation will not be successful.\n\nAnd syzbot report the fellowing crash:\n==================================================================\nBUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]\nBUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605\nWrite at addr f9ff000024df6058 by task syz-fuzzer/2256\nPointer tag: [f9], memory tag: [fe]\n\nCPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-\nge01d50cbd6ee #0\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156\n dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]\n show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x1a8/0x4a0 mm/kasan/report.c:395\n kasan_report+0x94/0xb4 mm/kasan/report.c:495\n __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320\n do_bad_area arch/arm64/mm/fault.c:473 [inline]\n do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749\n do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825\n el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367\n el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427\n el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576\n hlist_add_head include/linux/list.h:929 [inline]\n enqueue_timer+0x18/0xa4 kernel/time/timer.c:605\n mod_timer+0x14/0x20 kernel/time/timer.c:1161\n mrp_periodic_timer_arm net/802/mrp.c:614 [inline]\n mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627\n call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474\n expire_timers+0x98/0xc4 kernel/time/timer.c:1519\n\nTo fix it, we can introduce a new active flags to make sure the timer will\nnot restart.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-50697",
          "url": "https://www.suse.com/security/cve/CVE-2022-50697"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255594 for CVE-2022-50697",
          "url": "https://bugzilla.suse.com/1255594"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255595 for CVE-2022-50697",
          "url": "https://bugzilla.suse.com/1255595"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-23T13:05:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-50697"
    },
    {
      "cve": "CVE-2022-50756",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-50756"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: fix mempool alloc size\n\nConvert the max size to bytes to match the units of the divisor that\ncalculates the worst-case number of PRP entries.\n\nThe result is used to determine how many PRP Lists are required. The\ncode was previously rounding this to 1 list, but we can require 2 in the\nworst case. In that scenario, the driver would corrupt memory beyond the\nsize provided by the mempool.\n\nWhile unlikely to occur (you\u0027d need a 4MB in exactly 127 phys segments\non a queue that doesn\u0027t support SGLs), this memory corruption has been\nobserved by kfence.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-50756",
          "url": "https://www.suse.com/security/cve/CVE-2022-50756"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256216 for CVE-2022-50756",
          "url": "https://bugzilla.suse.com/1256216"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256217 for CVE-2022-50756",
          "url": "https://bugzilla.suse.com/1256217"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-23T13:05:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2022-50756"
    },
    {
      "cve": "CVE-2023-53781",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-53781"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix use-after-free in tcp_write_timer_handler().\n\nWith Eric\u0027s ref tracker, syzbot finally found a repro for\nuse-after-free in tcp_write_timer_handler() by kernel TCP\nsockets. [0]\n\nIf SMC creates a kernel socket in __smc_create(), the kernel\nsocket is supposed to be freed in smc_clcsock_release() by\ncalling sock_release() when we close() the parent SMC socket.\n\nHowever, at the end of smc_clcsock_release(), the kernel\nsocket\u0027s sk_state might not be TCP_CLOSE.  This means that\nwe have not called inet_csk_destroy_sock() in __tcp_close()\nand have not stopped the TCP timers.\n\nThe kernel socket\u0027s TCP timers can be fired later, so we\nneed to hold a refcnt for net as we do for MPTCP subflows\nin mptcp_subflow_create_socket().\n\n[0]:\nleaked reference.\n sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108)\n inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244)\n __sock_create (net/socket.c:1546)\n smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284)\n __sock_create (net/socket.c:1546)\n __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661)\n __x64_sys_socket (net/socket.c:1672)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n==================================================================\nBUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\nRead of size 1 at addr ffff888052b65e0d by task syzrepro/18091\n\nCPU: 0 PID: 18091 Comm: syzrepro Tainted: G        W          6.3.0-rc4-01174-gb5d54eb5899a #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:107)\n print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)\n kasan_report (mm/kasan/report.c:538)\n tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\n tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)\n run_timer_softirq (kernel/time/timer.c:2037)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)\n __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650)\n irq_exit_rcu (kernel/softirq.c:664)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))\n \u003c/IRQ\u003e",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-53781",
          "url": "https://www.suse.com/security/cve/CVE-2023-53781"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1254751 for CVE-2023-53781",
          "url": "https://bugzilla.suse.com/1254751"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1254755 for CVE-2023-53781",
          "url": "https://bugzilla.suse.com/1254755"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-23T13:05:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-53781"
    },
    {
      "cve": "CVE-2025-21738",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-21738"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-sff: Ensure that we cannot write outside the allocated buffer\n\nreveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len\nset to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to\nATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to\nwrite outside the allocated buffer, overwriting random memory.\n\nWhile a ATA device is supposed to abort a ATA_NOP command, there does seem\nto be a bug either in libata-sff or QEMU, where either this status is not\nset, or the status is cleared before read by ata_sff_hsm_move().\nAnyway, that is most likely a separate bug.\n\nLooking at __atapi_pio_bytes(), it already has a safety check to ensure\nthat __atapi_pio_bytes() cannot write outside the allocated buffer.\n\nAdd a similar check to ata_pio_sector(), such that also ata_pio_sector()\ncannot write outside the allocated buffer.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-21738",
          "url": "https://www.suse.com/security/cve/CVE-2025-21738"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1238917 for CVE-2025-21738",
          "url": "https://bugzilla.suse.com/1238917"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257118 for CVE-2025-21738",
          "url": "https://bugzilla.suse.com/1257118"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-23T13:05:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-21738"
    },
    {
      "cve": "CVE-2025-68285",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-68285"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix potential use-after-free in have_mon_and_osd_map()\n\nThe wait loop in __ceph_open_session() can race with the client\nreceiving a new monmap or osdmap shortly after the initial map is\nreceived.  Both ceph_monc_handle_map() and handle_one_map() install\na new map immediately after freeing the old one\n\n    kfree(monc-\u003emonmap);\n    monc-\u003emonmap = monmap;\n\n    ceph_osdmap_destroy(osdc-\u003eosdmap);\n    osdc-\u003eosdmap = newmap;\n\nunder client-\u003emonc.mutex and client-\u003eosdc.lock respectively, but\nbecause neither is taken in have_mon_and_osd_map() it\u0027s possible for\nclient-\u003emonc.monmap-\u003eepoch and client-\u003eosdc.osdmap-\u003eepoch arms in\n\n    client-\u003emonc.monmap \u0026\u0026 client-\u003emonc.monmap-\u003eepoch \u0026\u0026\n        client-\u003eosdc.osdmap \u0026\u0026 client-\u003eosdc.osdmap-\u003eepoch;\n\ncondition to dereference an already freed map.  This happens to be\nreproducible with generic/395 and generic/397 with KASAN enabled:\n\n    BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70\n    Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305\n    CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266\n    ...\n    Call Trace:\n    \u003cTASK\u003e\n    have_mon_and_osd_map+0x56/0x70\n    ceph_open_session+0x182/0x290\n    ceph_get_tree+0x333/0x680\n    vfs_get_tree+0x49/0x180\n    do_new_mount+0x1a3/0x2d0\n    path_mount+0x6dd/0x730\n    do_mount+0x99/0xe0\n    __do_sys_mount+0x141/0x180\n    do_syscall_64+0x9f/0x100\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n    \u003c/TASK\u003e\n\n    Allocated by task 13305:\n    ceph_osdmap_alloc+0x16/0x130\n    ceph_osdc_init+0x27a/0x4c0\n    ceph_create_client+0x153/0x190\n    create_fs_client+0x50/0x2a0\n    ceph_get_tree+0xff/0x680\n    vfs_get_tree+0x49/0x180\n    do_new_mount+0x1a3/0x2d0\n    path_mount+0x6dd/0x730\n    do_mount+0x99/0xe0\n    __do_sys_mount+0x141/0x180\n    do_syscall_64+0x9f/0x100\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n    Freed by task 9475:\n    kfree+0x212/0x290\n    handle_one_map+0x23c/0x3b0\n    ceph_osdc_handle_map+0x3c9/0x590\n    mon_dispatch+0x655/0x6f0\n    ceph_con_process_message+0xc3/0xe0\n    ceph_con_v1_try_read+0x614/0x760\n    ceph_con_workfn+0x2de/0x650\n    process_one_work+0x486/0x7c0\n    process_scheduled_works+0x73/0x90\n    worker_thread+0x1c8/0x2a0\n    kthread+0x2ec/0x300\n    ret_from_fork+0x24/0x40\n    ret_from_fork_asm+0x1a/0x30\n\nRewrite the wait loop to check the above condition directly with\nclient-\u003emonc.mutex and client-\u003eosdc.lock taken as appropriate.  While\nat it, improve the timeout handling (previously mount_timeout could be\nexceeded in case wait_event_interruptible_timeout() slept more than\nonce) and access client-\u003eauth_err under client-\u003emonc.mutex to match\nhow it\u0027s set in finish_auth().\n\nmonmap_show() and osdmap_show() now take the respective lock before\naccessing the map as well.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-68285",
          "url": "https://www.suse.com/security/cve/CVE-2025-68285"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255401 for CVE-2025-68285",
          "url": "https://bugzilla.suse.com/1255401"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255402 for CVE-2025-68285",
          "url": "https://bugzilla.suse.com/1255402"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-23T13:05:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-68285"
    },
    {
      "cve": "CVE-2025-68813",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-68813"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix ipv4 null-ptr-deref in route error path\n\nThe IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()\nwithout ensuring skb-\u003edev is set, leading to a NULL pointer dereference\nin fib_compute_spec_dst() when ipv4_link_failure() attempts to send\nICMP destination unreachable messages.\n\nThe issue emerged after commit ed0de45a1008 (\"ipv4: recompile ip options\nin ipv4_link_failure\") started calling __ip_options_compile() from\nipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()\nwhich dereferences skb-\u003edev. An attempt was made to fix the NULL skb-\u003edev\ndereference in commit 0113d9c9d1cc (\"ipv4: fix null-deref in\nipv4_link_failure\"), but it only addressed the immediate dev_net(skb-\u003edev)\ndereference by using a fallback device. The fix was incomplete because\nfib_compute_spec_dst() later in the call chain still accesses skb-\u003edev\ndirectly, which remains NULL when IPVS calls dst_link_failure().\n\nThe crash occurs when:\n1. IPVS processes a packet in NAT mode with a misconfigured destination\n2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route\n3. The error path calls dst_link_failure(skb) with skb-\u003edev == NULL\n4. ipv4_link_failure() -\u003e ipv4_send_dest_unreach() -\u003e\n   __ip_options_compile() -\u003e fib_compute_spec_dst()\n5. fib_compute_spec_dst() dereferences NULL skb-\u003edev\n\nApply the same fix used for IPv6 in commit 326bf17ea5d4 (\"ipvs: fix\nipv6 route unreach panic\"): set skb-\u003edev from skb_dst(skb)-\u003edev before\ncalling dst_link_failure().\n\nKASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]\nCPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2\nRIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233\nRIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285\nCall Trace:\n  \u003cTASK\u003e\n  spec_dst_fill net/ipv4/ip_options.c:232\n  spec_dst_fill net/ipv4/ip_options.c:229\n  __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330\n  ipv4_send_dest_unreach net/ipv4/route.c:1252\n  ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265\n  dst_link_failure include/net/dst.h:437\n  __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412\n  ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-68813",
          "url": "https://www.suse.com/security/cve/CVE-2025-68813"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256641 for CVE-2025-68813",
          "url": "https://bugzilla.suse.com/1256641"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256644 for CVE-2025-68813",
          "url": "https://bugzilla.suse.com/1256644"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-23T13:05:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-68813"
    },
    {
      "cve": "CVE-2025-71085",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-71085"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\n\nThere exists a kernel oops caused by a BUG_ON(nhead \u003c 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom \u003e INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) \u003c 0).\n\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom \u003e skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom \u003e INT_MAX and delta \u003c= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\n\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\n\nPoC:\n\tUsing `netlabelctl` tool:\n\n        netlabelctl map del default\n        netlabelctl calipso add pass doi:7\n        netlabelctl map add default address:0::1/128 protocol:calipso,7\n\n        Then run the following PoC:\n\n        int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n\n        // setup msghdr\n        int cmsg_size = 2;\n        int cmsg_len = 0x60;\n        struct msghdr msg;\n        struct sockaddr_in6 dest_addr;\n        struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\n                        sizeof(struct cmsghdr) + cmsg_len);\n        msg.msg_name = \u0026dest_addr;\n        msg.msg_namelen = sizeof(dest_addr);\n        msg.msg_iov = NULL;\n        msg.msg_iovlen = 0;\n        msg.msg_control = cmsg;\n        msg.msg_controllen = cmsg_len;\n        msg.msg_flags = 0;\n\n        // setup sockaddr\n        dest_addr.sin6_family = AF_INET6;\n        dest_addr.sin6_port = htons(31337);\n        dest_addr.sin6_flowinfo = htonl(31337);\n        dest_addr.sin6_addr = in6addr_loopback;\n        dest_addr.sin6_scope_id = 31337;\n\n        // setup cmsghdr\n        cmsg-\u003ecmsg_len = cmsg_len;\n        cmsg-\u003ecmsg_level = IPPROTO_IPV6;\n        cmsg-\u003ecmsg_type = IPV6_HOPOPTS;\n        char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\n        hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\n\n        sendmsg(fd, \u0026msg, 0);",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
          "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-71085",
          "url": "https://www.suse.com/security/cve/CVE-2025-71085"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256623 for CVE-2025-71085",
          "url": "https://bugzilla.suse.com/1256623"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1256624 for CVE-2025-71085",
          "url": "https://bugzilla.suse.com/1256624"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.ppc64le",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.s390x",
            "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_283-default-3-2.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-23T13:05:59Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-71085"
    }
  ]
}

CVE-2025-68285 (GCVE-0-2025-68285)

Vulnerability from cvelistv5 – Published: 2025-12-16 15:06 – Updated: 2026-01-02 15:34

Title

libceph: fix potential use-after-free in have_mon_and_osd_map()

Summary

In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and client->osdc.lock respectively, but because neither is taken in have_mon_and_osd_map() it's possible for client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch; condition to dereference an already freed map. This happens to be reproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 ... Call Trace: <TASK> have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 Rewrite the wait loop to check the above condition directly with client->monc.mutex and client->osdc.lock taken as appropriate. While at it, improve the timeout handling (previously mount_timeout could be exceeded in case wait_event_interruptible_timeout() slept more than once) and access client->auth_err under client->monc.mutex to match how it's set in finish_auth(). monmap_show() and osdmap_show() now take the respective lock before accessing the map as well.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bb4910c5fd436701f…
	https://git.kernel.org/stable/c/05ec43e9a9de67132…
	https://git.kernel.org/stable/c/7c8ccdc1714d9fabe…
	https://git.kernel.org/stable/c/183ad6e3b651e8fb0…
	https://git.kernel.org/stable/c/e08021b3b56b2407f…
	https://git.kernel.org/stable/c/3fc43120b22a3d4f1…
	https://git.kernel.org/stable/c/076381c261374c587…

Impacted products

Vendor

Product

Version

Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < bb4910c5fd436701faf367e1b5476a5a6d2aff1c (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 05ec43e9a9de67132dc8cd3b22afef001574947f (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 7c8ccdc1714d9fabecd26e1be7db1771061acc6e (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 183ad6e3b651e8fb0b66d6a2678f4b80bfbba092 (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < e08021b3b56b2407f37b5fe47b654be80cc665fb (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 3fc43120b22a3d4f1fbeff56a35ce2105b6a5683 (git)
Affected: 6822d00b5462e7a9dfa11dcc60cc25823a2107c5 , < 076381c261374c587700b3accf410bdd2dba334e (git)

Affected: 2.6.35
Unaffected: 0 , < 2.6.35 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.197 , ≤ 5.15.* (semver)
Unaffected: 6.1.159 , ≤ 6.1.* (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.61 , ≤ 6.12.* (semver)
Unaffected: 6.17.11 , ≤ 6.17.* (semver)
Unaffected: 6.18 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/ceph_common.c",
            "net/ceph/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bb4910c5fd436701faf367e1b5476a5a6d2aff1c",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "05ec43e9a9de67132dc8cd3b22afef001574947f",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "7c8ccdc1714d9fabecd26e1be7db1771061acc6e",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "183ad6e3b651e8fb0b66d6a2678f4b80bfbba092",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "e08021b3b56b2407f37b5fe47b654be80cc665fb",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "3fc43120b22a3d4f1fbeff56a35ce2105b6a5683",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            },
            {
              "lessThan": "076381c261374c587700b3accf410bdd2dba334e",
              "status": "affected",
              "version": "6822d00b5462e7a9dfa11dcc60cc25823a2107c5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ceph/ceph_common.c",
            "net/ceph/debugfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.35"
            },
            {
              "lessThan": "2.6.35",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.197",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.159",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.61",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.197",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.159",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.61",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.17.11",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18",
                  "versionStartIncluding": "2.6.35",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: fix potential use-after-free in have_mon_and_osd_map()\n\nThe wait loop in __ceph_open_session() can race with the client\nreceiving a new monmap or osdmap shortly after the initial map is\nreceived.  Both ceph_monc_handle_map() and handle_one_map() install\na new map immediately after freeing the old one\n\n    kfree(monc-\u003emonmap);\n    monc-\u003emonmap = monmap;\n\n    ceph_osdmap_destroy(osdc-\u003eosdmap);\n    osdc-\u003eosdmap = newmap;\n\nunder client-\u003emonc.mutex and client-\u003eosdc.lock respectively, but\nbecause neither is taken in have_mon_and_osd_map() it\u0027s possible for\nclient-\u003emonc.monmap-\u003eepoch and client-\u003eosdc.osdmap-\u003eepoch arms in\n\n    client-\u003emonc.monmap \u0026\u0026 client-\u003emonc.monmap-\u003eepoch \u0026\u0026\n        client-\u003eosdc.osdmap \u0026\u0026 client-\u003eosdc.osdmap-\u003eepoch;\n\ncondition to dereference an already freed map.  This happens to be\nreproducible with generic/395 and generic/397 with KASAN enabled:\n\n    BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70\n    Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305\n    CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266\n    ...\n    Call Trace:\n    \u003cTASK\u003e\n    have_mon_and_osd_map+0x56/0x70\n    ceph_open_session+0x182/0x290\n    ceph_get_tree+0x333/0x680\n    vfs_get_tree+0x49/0x180\n    do_new_mount+0x1a3/0x2d0\n    path_mount+0x6dd/0x730\n    do_mount+0x99/0xe0\n    __do_sys_mount+0x141/0x180\n    do_syscall_64+0x9f/0x100\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n    \u003c/TASK\u003e\n\n    Allocated by task 13305:\n    ceph_osdmap_alloc+0x16/0x130\n    ceph_osdc_init+0x27a/0x4c0\n    ceph_create_client+0x153/0x190\n    create_fs_client+0x50/0x2a0\n    ceph_get_tree+0xff/0x680\n    vfs_get_tree+0x49/0x180\n    do_new_mount+0x1a3/0x2d0\n    path_mount+0x6dd/0x730\n    do_mount+0x99/0xe0\n    __do_sys_mount+0x141/0x180\n    do_syscall_64+0x9f/0x100\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\n    Freed by task 9475:\n    kfree+0x212/0x290\n    handle_one_map+0x23c/0x3b0\n    ceph_osdc_handle_map+0x3c9/0x590\n    mon_dispatch+0x655/0x6f0\n    ceph_con_process_message+0xc3/0xe0\n    ceph_con_v1_try_read+0x614/0x760\n    ceph_con_workfn+0x2de/0x650\n    process_one_work+0x486/0x7c0\n    process_scheduled_works+0x73/0x90\n    worker_thread+0x1c8/0x2a0\n    kthread+0x2ec/0x300\n    ret_from_fork+0x24/0x40\n    ret_from_fork_asm+0x1a/0x30\n\nRewrite the wait loop to check the above condition directly with\nclient-\u003emonc.mutex and client-\u003eosdc.lock taken as appropriate.  While\nat it, improve the timeout handling (previously mount_timeout could be\nexceeded in case wait_event_interruptible_timeout() slept more than\nonce) and access client-\u003eauth_err under client-\u003emonc.mutex to match\nhow it\u0027s set in finish_auth().\n\nmonmap_show() and osdmap_show() now take the respective lock before\naccessing the map as well."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:34:50.454Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/05ec43e9a9de67132dc8cd3b22afef001574947f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c8ccdc1714d9fabecd26e1be7db1771061acc6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/183ad6e3b651e8fb0b66d6a2678f4b80bfbba092"
        },
        {
          "url": "https://git.kernel.org/stable/c/e08021b3b56b2407f37b5fe47b654be80cc665fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3fc43120b22a3d4f1fbeff56a35ce2105b6a5683"
        },
        {
          "url": "https://git.kernel.org/stable/c/076381c261374c587700b3accf410bdd2dba334e"
        }
      ],
      "title": "libceph: fix potential use-after-free in have_mon_and_osd_map()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68285",
    "datePublished": "2025-12-16T15:06:07.078Z",
    "dateReserved": "2025-12-16T14:48:05.292Z",
    "dateUpdated": "2026-01-02T15:34:50.454Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-53781 (GCVE-0-2023-53781)

Vulnerability from cvelistv5 – Published: 2025-12-09 00:00 – Updated: 2025-12-09 00:00

Title

smc: Fix use-after-free in tcp_write_timer_handler().

Summary

In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in tcp_write_timer_handler(). With Eric's ref tracker, syzbot finally found a repro for use-after-free in tcp_write_timer_handler() by kernel TCP sockets. [0] If SMC creates a kernel socket in __smc_create(), the kernel socket is supposed to be freed in smc_clcsock_release() by calling sock_release() when we close() the parent SMC socket. However, at the end of smc_clcsock_release(), the kernel socket's sk_state might not be TCP_CLOSE. This means that we have not called inet_csk_destroy_sock() in __tcp_close() and have not stopped the TCP timers. The kernel socket's TCP timers can be fired later, so we need to hold a refcnt for net as we do for MPTCP subflows in mptcp_subflow_create_socket(). [0]: leaked reference. sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108) inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244) __sock_create (net/socket.c:1546) smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284) __sock_create (net/socket.c:1546) __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661) __x64_sys_socket (net/socket.c:1672) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) ================================================================== BUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) Read of size 1 at addr ffff888052b65e0d by task syzrepro/18091 CPU: 0 PID: 18091 Comm: syzrepro Tainted: G W 6.3.0-rc4-01174-gb5d54eb5899a #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:107) print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) kasan_report (mm/kasan/report.c:538) tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594) tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643) call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701) __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022) run_timer_softirq (kernel/time/timer.c:2037) __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572) __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650) irq_exit_rcu (kernel/softirq.c:664) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14)) </IRQ>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1cc41c8acfc1ee30b…
	https://git.kernel.org/stable/c/9744d2bf197627037…

Impacted products

Vendor

Product

Version

Affected: ac7138746e14137a451f8539614cdd349153e0c0 , < 1cc41c8acfc1ee30b4868559058db97fa44b0137 (git)
Affected: ac7138746e14137a451f8539614cdd349153e0c0 , < 9744d2bf19762703704ecba885b7ac282c02eacf (git)

Affected: 4.11
Unaffected: 0 , < 4.11 (semver)
Unaffected: 6.2.12 , ≤ 6.2.* (semver)
Unaffected: 6.3 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1cc41c8acfc1ee30b4868559058db97fa44b0137",
              "status": "affected",
              "version": "ac7138746e14137a451f8539614cdd349153e0c0",
              "versionType": "git"
            },
            {
              "lessThan": "9744d2bf19762703704ecba885b7ac282c02eacf",
              "status": "affected",
              "version": "ac7138746e14137a451f8539614cdd349153e0c0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/af_smc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.2.*",
              "status": "unaffected",
              "version": "6.2.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.3",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2.12",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.3",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmc: Fix use-after-free in tcp_write_timer_handler().\n\nWith Eric\u0027s ref tracker, syzbot finally found a repro for\nuse-after-free in tcp_write_timer_handler() by kernel TCP\nsockets. [0]\n\nIf SMC creates a kernel socket in __smc_create(), the kernel\nsocket is supposed to be freed in smc_clcsock_release() by\ncalling sock_release() when we close() the parent SMC socket.\n\nHowever, at the end of smc_clcsock_release(), the kernel\nsocket\u0027s sk_state might not be TCP_CLOSE.  This means that\nwe have not called inet_csk_destroy_sock() in __tcp_close()\nand have not stopped the TCP timers.\n\nThe kernel socket\u0027s TCP timers can be fired later, so we\nneed to hold a refcnt for net as we do for MPTCP subflows\nin mptcp_subflow_create_socket().\n\n[0]:\nleaked reference.\n sk_alloc (./include/net/net_namespace.h:335 net/core/sock.c:2108)\n inet_create (net/ipv4/af_inet.c:319 net/ipv4/af_inet.c:244)\n __sock_create (net/socket.c:1546)\n smc_create (net/smc/af_smc.c:3269 net/smc/af_smc.c:3284)\n __sock_create (net/socket.c:1546)\n __sys_socket (net/socket.c:1634 net/socket.c:1618 net/socket.c:1661)\n __x64_sys_socket (net/socket.c:1672)\n do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\n==================================================================\nBUG: KASAN: slab-use-after-free in tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\nRead of size 1 at addr ffff888052b65e0d by task syzrepro/18091\n\nCPU: 0 PID: 18091 Comm: syzrepro Tainted: G        W          6.3.0-rc4-01174-gb5d54eb5899a #7\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.amzn2022.0.1 04/01/2014\nCall Trace:\n \u003cIRQ\u003e\n dump_stack_lvl (lib/dump_stack.c:107)\n print_report (mm/kasan/report.c:320 mm/kasan/report.c:430)\n kasan_report (mm/kasan/report.c:538)\n tcp_write_timer_handler (net/ipv4/tcp_timer.c:378 net/ipv4/tcp_timer.c:624 net/ipv4/tcp_timer.c:594)\n tcp_write_timer (./include/linux/spinlock.h:390 net/ipv4/tcp_timer.c:643)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2022)\n run_timer_softirq (kernel/time/timer.c:2037)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:572)\n __irq_exit_rcu (kernel/softirq.c:445 kernel/softirq.c:650)\n irq_exit_rcu (kernel/softirq.c:664)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1107 (discriminator 14))\n \u003c/IRQ\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T00:00:36.831Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1cc41c8acfc1ee30b4868559058db97fa44b0137"
        },
        {
          "url": "https://git.kernel.org/stable/c/9744d2bf19762703704ecba885b7ac282c02eacf"
        }
      ],
      "title": "smc: Fix use-after-free in tcp_write_timer_handler().",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-53781",
    "datePublished": "2025-12-09T00:00:36.831Z",
    "dateReserved": "2025-12-08T23:58:35.272Z",
    "dateUpdated": "2025-12-09T00:00:36.831Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68813 (GCVE-0-2025-68813)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:29 – Updated: 2026-02-09 08:34

Title

ipvs: fix ipv4 null-ptr-deref in route error path

Summary

In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure(). The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() → ipv4_send_dest_unreach() → __ip_options_compile() → fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dd72a93c80408f063…
	https://git.kernel.org/stable/c/312d7cd88882fc6ca…
	https://git.kernel.org/stable/c/cdeff10851c37a002…
	https://git.kernel.org/stable/c/4729ff0581fbb7ad0…
	https://git.kernel.org/stable/c/25ab24df31f7af843…
	https://git.kernel.org/stable/c/689a627d14788ad77…
	https://git.kernel.org/stable/c/ad891bb3d079a46a8…

Impacted products

Vendor

Product

Version

Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < dd72a93c80408f06327dd2d956eb1a656d0b5903 (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 312d7cd88882fc6cadcc08b02287497aaaf94bcd (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < cdeff10851c37a002d87a035818ebd60fdb74447 (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 4729ff0581fbb7ad098b6153b76b6f5aac94618a (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 25ab24df31f7af843c96a38e0781b9165216e1a8 (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < 689a627d14788ad772e0fa24c2e57a23dbc7ce90 (git)
Affected: ed0de45a1008991fdaa27a0152befcb74d126a8b , < ad891bb3d079a46a821bf2b8867854645191bab0 (git)
Affected: 6c2fa855d8178699706b1192db2f1f8102b0ba1e (git)
Affected: fbf569d2beee2a4a7a0bc8b619c26101d1211a88 (git)
Affected: ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38 (git)
Affected: 3d988fcddbe7b8673a231958bd2fba61b5a7ced9 (git)
Affected: 8a430e56a6485267a1b2d3747209d26c54d1a34b (git)
Affected: 6bd1ee0a993fc9574ae43c1994c54a60cb23a380 (git)

Affected: 5.1
Unaffected: 0 , < 5.1 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.18.3 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_xmit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dd72a93c80408f06327dd2d956eb1a656d0b5903",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "312d7cd88882fc6cadcc08b02287497aaaf94bcd",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "cdeff10851c37a002d87a035818ebd60fdb74447",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "4729ff0581fbb7ad098b6153b76b6f5aac94618a",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "25ab24df31f7af843c96a38e0781b9165216e1a8",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "689a627d14788ad772e0fa24c2e57a23dbc7ce90",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "lessThan": "ad891bb3d079a46a821bf2b8867854645191bab0",
              "status": "affected",
              "version": "ed0de45a1008991fdaa27a0152befcb74d126a8b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6c2fa855d8178699706b1192db2f1f8102b0ba1e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fbf569d2beee2a4a7a0bc8b619c26101d1211a88",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ff71f99d5fb2daf54340e8b290d0bc4e6b4c1d38",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3d988fcddbe7b8673a231958bd2fba61b5a7ced9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "8a430e56a6485267a1b2d3747209d26c54d1a34b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6bd1ee0a993fc9574ae43c1994c54a60cb23a380",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/ipvs/ip_vs_xmit.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.3",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.18.139",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.171",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.114",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.0.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvs: fix ipv4 null-ptr-deref in route error path\n\nThe IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()\nwithout ensuring skb-\u003edev is set, leading to a NULL pointer dereference\nin fib_compute_spec_dst() when ipv4_link_failure() attempts to send\nICMP destination unreachable messages.\n\nThe issue emerged after commit ed0de45a1008 (\"ipv4: recompile ip options\nin ipv4_link_failure\") started calling __ip_options_compile() from\nipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()\nwhich dereferences skb-\u003edev. An attempt was made to fix the NULL skb-\u003edev\ndereference in commit 0113d9c9d1cc (\"ipv4: fix null-deref in\nipv4_link_failure\"), but it only addressed the immediate dev_net(skb-\u003edev)\ndereference by using a fallback device. The fix was incomplete because\nfib_compute_spec_dst() later in the call chain still accesses skb-\u003edev\ndirectly, which remains NULL when IPVS calls dst_link_failure().\n\nThe crash occurs when:\n1. IPVS processes a packet in NAT mode with a misconfigured destination\n2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route\n3. The error path calls dst_link_failure(skb) with skb-\u003edev == NULL\n4. ipv4_link_failure() \u2192 ipv4_send_dest_unreach() \u2192\n   __ip_options_compile() \u2192 fib_compute_spec_dst()\n5. fib_compute_spec_dst() dereferences NULL skb-\u003edev\n\nApply the same fix used for IPv6 in commit 326bf17ea5d4 (\"ipvs: fix\nipv6 route unreach panic\"): set skb-\u003edev from skb_dst(skb)-\u003edev before\ncalling dst_link_failure().\n\nKASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]\nCPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2\nRIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233\nRIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285\nCall Trace:\n  \u003cTASK\u003e\n  spec_dst_fill net/ipv4/ip_options.c:232\n  spec_dst_fill net/ipv4/ip_options.c:229\n  __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330\n  ipv4_send_dest_unreach net/ipv4/route.c:1252\n  ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265\n  dst_link_failure include/net/dst.h:437\n  __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412\n  ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T08:34:02.933Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dd72a93c80408f06327dd2d956eb1a656d0b5903"
        },
        {
          "url": "https://git.kernel.org/stable/c/312d7cd88882fc6cadcc08b02287497aaaf94bcd"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdeff10851c37a002d87a035818ebd60fdb74447"
        },
        {
          "url": "https://git.kernel.org/stable/c/4729ff0581fbb7ad098b6153b76b6f5aac94618a"
        },
        {
          "url": "https://git.kernel.org/stable/c/25ab24df31f7af843c96a38e0781b9165216e1a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/689a627d14788ad772e0fa24c2e57a23dbc7ce90"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad891bb3d079a46a821bf2b8867854645191bab0"
        }
      ],
      "title": "ipvs: fix ipv4 null-ptr-deref in route error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-68813",
    "datePublished": "2026-01-13T15:29:18.483Z",
    "dateReserved": "2025-12-24T10:30:51.047Z",
    "dateUpdated": "2026-02-09T08:34:02.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-71085 (GCVE-0-2025-71085)

Vulnerability from cvelistv5 – Published: 2026-01-13 15:34 – Updated: 2026-02-09 08:34

Title

ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0);

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/86f365897068d0941…
	https://git.kernel.org/stable/c/6b7522424529556c9…
	https://git.kernel.org/stable/c/2bb759062efa188ea…
	https://git.kernel.org/stable/c/c53aa6a5086f03f19…
	https://git.kernel.org/stable/c/bf3709738d8a8cc6f…
	https://git.kernel.org/stable/c/73744ad5696dce0e0…
	https://git.kernel.org/stable/c/58fc7342b529803d3…

Impacted products

Vendor

Product

Version

Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 86f365897068d09418488165a68b23cb5baa37f2 (git)
Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 6b7522424529556c9cbc15e15e7bd4eeae310910 (git)
Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 2bb759062efa188ea5d07242a43e5aa5464bbae1 (git)
Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < c53aa6a5086f03f19564096ee084a202a8c738c0 (git)
Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < bf3709738d8a8cc6fa275773170c5c29511a0b24 (git)
Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 73744ad5696dce0e0f43872aba8de6a83d6ad570 (git)
Affected: 2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3 , < 58fc7342b529803d3c221101102fe913df7adb83 (git)

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.160 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.64 , ≤ 6.12.* (semver)
Unaffected: 6.18.4 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/calipso.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "86f365897068d09418488165a68b23cb5baa37f2",
              "status": "affected",
              "version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
              "versionType": "git"
            },
            {
              "lessThan": "6b7522424529556c9cbc15e15e7bd4eeae310910",
              "status": "affected",
              "version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
              "versionType": "git"
            },
            {
              "lessThan": "2bb759062efa188ea5d07242a43e5aa5464bbae1",
              "status": "affected",
              "version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
              "versionType": "git"
            },
            {
              "lessThan": "c53aa6a5086f03f19564096ee084a202a8c738c0",
              "status": "affected",
              "version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
              "versionType": "git"
            },
            {
              "lessThan": "bf3709738d8a8cc6fa275773170c5c29511a0b24",
              "status": "affected",
              "version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
              "versionType": "git"
            },
            {
              "lessThan": "73744ad5696dce0e0f43872aba8de6a83d6ad570",
              "status": "affected",
              "version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
              "versionType": "git"
            },
            {
              "lessThan": "58fc7342b529803d3c221101102fe913df7adb83",
              "status": "affected",
              "version": "2917f57b6bc15cc6787496ee5f2fdf17f0e9b7d3",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/calipso.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.160",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.64",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.4",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()\n\nThere exists a kernel oops caused by a BUG_ON(nhead \u003c 0) at\nnet/core/skbuff.c:2232 in pskb_expand_head().\nThis bug is triggered as part of the calipso_skbuff_setattr()\nroutine when skb_cow() is passed headroom \u003e INT_MAX\n(i.e. (int)(skb_headroom(skb) + len_delta) \u003c 0).\n\nThe root cause of the bug is due to an implicit integer cast in\n__skb_cow(). The check (headroom \u003e skb_headroom(skb)) is meant to ensure\nthat delta = headroom - skb_headroom(skb) is never negative, otherwise\nwe will trigger a BUG_ON in pskb_expand_head(). However, if\nheadroom \u003e INT_MAX and delta \u003c= -NET_SKB_PAD, the check passes, delta\nbecomes negative, and pskb_expand_head() is passed a negative value for\nnhead.\n\nFix the trigger condition in calipso_skbuff_setattr(). Avoid passing\n\"negative\" headroom sizes to skb_cow() within calipso_skbuff_setattr()\nby only using skb_cow() to grow headroom.\n\nPoC:\n\tUsing `netlabelctl` tool:\n\n        netlabelctl map del default\n        netlabelctl calipso add pass doi:7\n        netlabelctl map add default address:0::1/128 protocol:calipso,7\n\n        Then run the following PoC:\n\n        int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);\n\n        // setup msghdr\n        int cmsg_size = 2;\n        int cmsg_len = 0x60;\n        struct msghdr msg;\n        struct sockaddr_in6 dest_addr;\n        struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,\n                        sizeof(struct cmsghdr) + cmsg_len);\n        msg.msg_name = \u0026dest_addr;\n        msg.msg_namelen = sizeof(dest_addr);\n        msg.msg_iov = NULL;\n        msg.msg_iovlen = 0;\n        msg.msg_control = cmsg;\n        msg.msg_controllen = cmsg_len;\n        msg.msg_flags = 0;\n\n        // setup sockaddr\n        dest_addr.sin6_family = AF_INET6;\n        dest_addr.sin6_port = htons(31337);\n        dest_addr.sin6_flowinfo = htonl(31337);\n        dest_addr.sin6_addr = in6addr_loopback;\n        dest_addr.sin6_scope_id = 31337;\n\n        // setup cmsghdr\n        cmsg-\u003ecmsg_len = cmsg_len;\n        cmsg-\u003ecmsg_level = IPPROTO_IPV6;\n        cmsg-\u003ecmsg_type = IPV6_HOPOPTS;\n        char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);\n        hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80\n\n        sendmsg(fd, \u0026msg, 0);"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T08:34:36.802Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/86f365897068d09418488165a68b23cb5baa37f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b7522424529556c9cbc15e15e7bd4eeae310910"
        },
        {
          "url": "https://git.kernel.org/stable/c/2bb759062efa188ea5d07242a43e5aa5464bbae1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c53aa6a5086f03f19564096ee084a202a8c738c0"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf3709738d8a8cc6fa275773170c5c29511a0b24"
        },
        {
          "url": "https://git.kernel.org/stable/c/73744ad5696dce0e0f43872aba8de6a83d6ad570"
        },
        {
          "url": "https://git.kernel.org/stable/c/58fc7342b529803d3c221101102fe913df7adb83"
        }
      ],
      "title": "ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-71085",
    "datePublished": "2026-01-13T15:34:48.324Z",
    "dateReserved": "2026-01-13T15:30:19.649Z",
    "dateUpdated": "2026-02-09T08:34:36.802Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21738 (GCVE-0-2025-21738)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:12 – Updated: 2026-01-02 15:28

Title

ata: libata-sff: Ensure that we cannot write outside the allocated buffer

Summary

In the Linux kernel, the following vulnerability has been resolved: ata: libata-sff: Ensure that we cannot write outside the allocated buffer reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write outside the allocated buffer, overwriting random memory. While a ATA device is supposed to abort a ATA_NOP command, there does seem to be a bug either in libata-sff or QEMU, where either this status is not set, or the status is cleared before read by ata_sff_hsm_move(). Anyway, that is most likely a separate bug. Looking at __atapi_pio_bytes(), it already has a safety check to ensure that __atapi_pio_bytes() cannot write outside the allocated buffer. Add a similar check to ata_pio_sector(), such that also ata_pio_sector() cannot write outside the allocated buffer.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a8f8cf87059ed1905…
	https://git.kernel.org/stable/c/d5e6e3000309359ea…
	https://git.kernel.org/stable/c/0dd5aade301a10f4b…
	https://git.kernel.org/stable/c/0a17a9944b8d89ef0…
	https://git.kernel.org/stable/c/6e74e53b34b6dec5a…

Impacted products

Vendor

Product

Version

Affected: 5a5dbd18a7496ed403f6f54bb20c955c65482fa5 , < a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c (git)
Affected: 5a5dbd18a7496ed403f6f54bb20c955c65482fa5 , < d5e6e3000309359eae2a17117aa6e3c44897bf6c (git)
Affected: 5a5dbd18a7496ed403f6f54bb20c955c65482fa5 , < 0dd5aade301a10f4b329fa7454fdcc2518741902 (git)
Affected: 5a5dbd18a7496ed403f6f54bb20c955c65482fa5 , < 0a17a9944b8d89ef03946121241870ac53ddaf45 (git)
Affected: 5a5dbd18a7496ed403f6f54bb20c955c65482fa5 , < 6e74e53b34b6dec5a50e1404e2680852ec6768d2 (git)

Affected: 2.6.22
Unaffected: 0 , < 2.6.22 (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.78 , ≤ 6.6.* (semver)
Unaffected: 6.12.14 , ≤ 6.12.* (semver)
Unaffected: 6.13.3 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:36:44.548Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ata/libata-sff.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c",
              "status": "affected",
              "version": "5a5dbd18a7496ed403f6f54bb20c955c65482fa5",
              "versionType": "git"
            },
            {
              "lessThan": "d5e6e3000309359eae2a17117aa6e3c44897bf6c",
              "status": "affected",
              "version": "5a5dbd18a7496ed403f6f54bb20c955c65482fa5",
              "versionType": "git"
            },
            {
              "lessThan": "0dd5aade301a10f4b329fa7454fdcc2518741902",
              "status": "affected",
              "version": "5a5dbd18a7496ed403f6f54bb20c955c65482fa5",
              "versionType": "git"
            },
            {
              "lessThan": "0a17a9944b8d89ef03946121241870ac53ddaf45",
              "status": "affected",
              "version": "5a5dbd18a7496ed403f6f54bb20c955c65482fa5",
              "versionType": "git"
            },
            {
              "lessThan": "6e74e53b34b6dec5a50e1404e2680852ec6768d2",
              "status": "affected",
              "version": "5a5dbd18a7496ed403f6f54bb20c955c65482fa5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ata/libata-sff.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-sff: Ensure that we cannot write outside the allocated buffer\n\nreveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len\nset to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to\nATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to\nwrite outside the allocated buffer, overwriting random memory.\n\nWhile a ATA device is supposed to abort a ATA_NOP command, there does seem\nto be a bug either in libata-sff or QEMU, where either this status is not\nset, or the status is cleared before read by ata_sff_hsm_move().\nAnyway, that is most likely a separate bug.\n\nLooking at __atapi_pio_bytes(), it already has a safety check to ensure\nthat __atapi_pio_bytes() cannot write outside the allocated buffer.\n\nAdd a similar check to ata_pio_sector(), such that also ata_pio_sector()\ncannot write outside the allocated buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:28:29.370Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a8f8cf87059ed1905c2a5c72f8b39a4f57b11b4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d5e6e3000309359eae2a17117aa6e3c44897bf6c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dd5aade301a10f4b329fa7454fdcc2518741902"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a17a9944b8d89ef03946121241870ac53ddaf45"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e74e53b34b6dec5a50e1404e2680852ec6768d2"
        }
      ],
      "title": "ata: libata-sff: Ensure that we cannot write outside the allocated buffer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21738",
    "datePublished": "2025-02-27T02:12:13.942Z",
    "dateReserved": "2024-12-29T08:45:45.757Z",
    "dateUpdated": "2026-01-02T15:28:29.370Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50756 (GCVE-0-2022-50756)

Vulnerability from cvelistv5 – Published: 2025-12-24 13:05 – Updated: 2025-12-24 13:05

Title

nvme-pci: fix mempool alloc size

Summary

In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix mempool alloc size Convert the max size to bytes to match the units of the divisor that calculates the worst-case number of PRP entries. The result is used to determine how many PRP Lists are required. The code was previously rounding this to 1 list, but we can require 2 in the worst case. In that scenario, the driver would corrupt memory beyond the size provided by the mempool. While unlikely to occur (you'd need a 4MB in exactly 127 phys segments on a queue that doesn't support SGLs), this memory corruption has been observed by kfence.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dfb6d54893d544151…
	https://git.kernel.org/stable/c/9141144b37f30e3e7…
	https://git.kernel.org/stable/c/e1777b4286e526c58…
	https://git.kernel.org/stable/c/b1814724e0d7162bd…
	https://git.kernel.org/stable/c/c89a529e823d51dd2…

Impacted products

Vendor

Product

Version

Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < dfb6d54893d544151e7f480bc44cfe7823f5ad23 (git)
Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < 9141144b37f30e3e7fa024bcfa0a13011e546ba9 (git)
Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < e1777b4286e526c58b4ee699344b0ad85aaf83a0 (git)
Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < b1814724e0d7162bdf4799f2d565381bc2251c63 (git)
Affected: 943e942e6266f22babee5efeb00f8f672fbff5bd , < c89a529e823d51dd23c7ec0c047c7a454a428541 (git)

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.87 , ≤ 5.15.* (semver)
Unaffected: 6.0.17 , ≤ 6.0.* (semver)
Unaffected: 6.1.3 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dfb6d54893d544151e7f480bc44cfe7823f5ad23",
              "status": "affected",
              "version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
              "versionType": "git"
            },
            {
              "lessThan": "9141144b37f30e3e7fa024bcfa0a13011e546ba9",
              "status": "affected",
              "version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
              "versionType": "git"
            },
            {
              "lessThan": "e1777b4286e526c58b4ee699344b0ad85aaf83a0",
              "status": "affected",
              "version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
              "versionType": "git"
            },
            {
              "lessThan": "b1814724e0d7162bdf4799f2d565381bc2251c63",
              "status": "affected",
              "version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
              "versionType": "git"
            },
            {
              "lessThan": "c89a529e823d51dd23c7ec0c047c7a454a428541",
              "status": "affected",
              "version": "943e942e6266f22babee5efeb00f8f672fbff5bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/host/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.17",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.3",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-pci: fix mempool alloc size\n\nConvert the max size to bytes to match the units of the divisor that\ncalculates the worst-case number of PRP entries.\n\nThe result is used to determine how many PRP Lists are required. The\ncode was previously rounding this to 1 list, but we can require 2 in the\nworst case. In that scenario, the driver would corrupt memory beyond the\nsize provided by the mempool.\n\nWhile unlikely to occur (you\u0027d need a 4MB in exactly 127 phys segments\non a queue that doesn\u0027t support SGLs), this memory corruption has been\nobserved by kfence."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T13:05:49.635Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dfb6d54893d544151e7f480bc44cfe7823f5ad23"
        },
        {
          "url": "https://git.kernel.org/stable/c/9141144b37f30e3e7fa024bcfa0a13011e546ba9"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1777b4286e526c58b4ee699344b0ad85aaf83a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/b1814724e0d7162bdf4799f2d565381bc2251c63"
        },
        {
          "url": "https://git.kernel.org/stable/c/c89a529e823d51dd23c7ec0c047c7a454a428541"
        }
      ],
      "title": "nvme-pci: fix mempool alloc size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50756",
    "datePublished": "2025-12-24T13:05:49.635Z",
    "dateReserved": "2025-12-24T13:02:21.545Z",
    "dateUpdated": "2025-12-24T13:05:49.635Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-50697 (GCVE-0-2022-50697)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2026-01-02 15:03

Title

mrp: introduce active flags to prevent UAF when applicant uninit

Summary

In the Linux kernel, the following vulnerability has been resolved: mrp: introduce active flags to prevent UAF when applicant uninit The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 Write at addr f9ff000024df6058 by task syz-fuzzer/2256 Pointer tag: [f9], memory tag: [fe] CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- ge01d50cbd6ee #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x1a8/0x4a0 mm/kasan/report.c:395 kasan_report+0x94/0xb4 mm/kasan/report.c:495 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 do_bad_area arch/arm64/mm/fault.c:473 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 hlist_add_head include/linux/list.h:929 [inline] enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 mod_timer+0x14/0x20 kernel/time/timer.c:1161 mrp_periodic_timer_arm net/802/mrp.c:614 [inline] mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 expire_timers+0x98/0xc4 kernel/time/timer.c:1519 To fix it, we can introduce a new active flags to make sure the timer will not restart.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/98f53e591940e4c38…
	https://git.kernel.org/stable/c/aacffc1a8dbf67c54…
	https://git.kernel.org/stable/c/78d48bc41f7726113…
	https://git.kernel.org/stable/c/aadb1507a77b060c5…
	https://git.kernel.org/stable/c/755eb0879224ffc2a…
	https://git.kernel.org/stable/c/5d5a481a7fd0234f6…
	https://git.kernel.org/stable/c/1a185fe83c2a60c1e…
	https://git.kernel.org/stable/c/563e45fd5046045cc…
	https://git.kernel.org/stable/c/ab0377803dafc58f1…

Impacted products

Vendor

Product

Version

Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 98f53e591940e4c3818be358c5dc684d5b30cb56 (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9 (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 78d48bc41f7726113c9f114268d3ab11212814da (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < aadb1507a77b060c529edfeaf67f803e31461f24 (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 755eb0879224ffc2a43de724554aeaf0e51e5a64 (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 5d5a481a7fd0234f617535dc464ea010804a1129 (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6 (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < 563e45fd5046045cc194af3ba17f5423e1c98170 (git)
Affected: febf018d22347b5df94066bca05d0c11a84e839d , < ab0377803dafc58f1e22296708c1c28e309414d6 (git)

Affected: 3.9
Unaffected: 0 , < 3.9 (semver)
Unaffected: 4.9.337 , ≤ 4.9.* (semver)
Unaffected: 4.14.303 , ≤ 4.14.* (semver)
Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.86 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)

Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/mrp.h",
            "net/802/mrp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "98f53e591940e4c3818be358c5dc684d5b30cb56",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "78d48bc41f7726113c9f114268d3ab11212814da",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "aadb1507a77b060c529edfeaf67f803e31461f24",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "755eb0879224ffc2a43de724554aeaf0e51e5a64",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "5d5a481a7fd0234f617535dc464ea010804a1129",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "563e45fd5046045cc194af3ba17f5423e1c98170",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            },
            {
              "lessThan": "ab0377803dafc58f1e22296708c1c28e309414d6",
              "status": "affected",
              "version": "febf018d22347b5df94066bca05d0c11a84e839d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/mrp.h",
            "net/802/mrp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.337",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.303",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.337",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.303",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.86",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmrp: introduce active flags to prevent UAF when applicant uninit\n\nThe caller of del_timer_sync must prevent restarting of the timer, If\nwe have no this synchronization, there is a small probability that the\ncancellation will not be successful.\n\nAnd syzbot report the fellowing crash:\n==================================================================\nBUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]\nBUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605\nWrite at addr f9ff000024df6058 by task syz-fuzzer/2256\nPointer tag: [f9], memory tag: [fe]\n\nCPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-\nge01d50cbd6ee #0\nHardware name: linux,dummy-virt (DT)\nCall trace:\n dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156\n dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]\n show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:284 [inline]\n print_report+0x1a8/0x4a0 mm/kasan/report.c:395\n kasan_report+0x94/0xb4 mm/kasan/report.c:495\n __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320\n do_bad_area arch/arm64/mm/fault.c:473 [inline]\n do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749\n do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825\n el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367\n el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427\n el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576\n hlist_add_head include/linux/list.h:929 [inline]\n enqueue_timer+0x18/0xa4 kernel/time/timer.c:605\n mod_timer+0x14/0x20 kernel/time/timer.c:1161\n mrp_periodic_timer_arm net/802/mrp.c:614 [inline]\n mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627\n call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474\n expire_timers+0x98/0xc4 kernel/time/timer.c:1519\n\nTo fix it, we can introduce a new active flags to make sure the timer will\nnot restart."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:03:54.183Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/98f53e591940e4c3818be358c5dc684d5b30cb56"
        },
        {
          "url": "https://git.kernel.org/stable/c/aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9"
        },
        {
          "url": "https://git.kernel.org/stable/c/78d48bc41f7726113c9f114268d3ab11212814da"
        },
        {
          "url": "https://git.kernel.org/stable/c/aadb1507a77b060c529edfeaf67f803e31461f24"
        },
        {
          "url": "https://git.kernel.org/stable/c/755eb0879224ffc2a43de724554aeaf0e51e5a64"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d5a481a7fd0234f617535dc464ea010804a1129"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/563e45fd5046045cc194af3ba17f5423e1c98170"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab0377803dafc58f1e22296708c1c28e309414d6"
        }
      ],
      "title": "mrp: introduce active flags to prevent UAF when applicant uninit",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50697",
    "datePublished": "2025-12-24T10:55:13.762Z",
    "dateReserved": "2025-12-24T10:53:15.517Z",
    "dateUpdated": "2026-01-02T15:03:54.183Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.