Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2025-0649
Vulnerability from csaf_certbund
Published
2025-03-27 23:00
Modified
2025-06-25 22:00
Summary
Linux Kernel: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Der Kernel stellt den Kern des Linux Betriebssystems dar.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder nicht spezifizierte Effekte zu erzielen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder nicht spezifizierte Effekte zu erzielen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-0649 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0649.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-0649 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0649"
},
{
"category": "external",
"summary": "Kernel CVE Announce Mailingliste",
"url": "https://lore.kernel.org/linux-cve-announce/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2021-4454",
"url": "https://lore.kernel.org/linux-cve-announce/2025032716-CVE-2021-4454-f4a4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49738",
"url": "https://lore.kernel.org/linux-cve-announce/2025032756-CVE-2022-49738-c2ef@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49739",
"url": "https://lore.kernel.org/linux-cve-announce/2025032756-CVE-2022-49739-a93e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49740",
"url": "https://lore.kernel.org/linux-cve-announce/2025032757-CVE-2022-49740-7f6e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49741",
"url": "https://lore.kernel.org/linux-cve-announce/2025032757-CVE-2022-49741-65a7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49742",
"url": "https://lore.kernel.org/linux-cve-announce/2025032757-CVE-2022-49742-e3d5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49743",
"url": "https://lore.kernel.org/linux-cve-announce/2025032758-CVE-2022-49743-a049@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49744",
"url": "https://lore.kernel.org/linux-cve-announce/2025032758-CVE-2022-49744-8c5a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49745",
"url": "https://lore.kernel.org/linux-cve-announce/2025032758-CVE-2022-49745-903a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49746",
"url": "https://lore.kernel.org/linux-cve-announce/2025032758-CVE-2022-49746-251b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49747",
"url": "https://lore.kernel.org/linux-cve-announce/2025032759-CVE-2022-49747-f361@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49748",
"url": "https://lore.kernel.org/linux-cve-announce/2025032759-CVE-2022-49748-4658@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49749",
"url": "https://lore.kernel.org/linux-cve-announce/2025032759-CVE-2022-49749-ed85@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49750",
"url": "https://lore.kernel.org/linux-cve-announce/2025032700-CVE-2022-49750-743d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49751",
"url": "https://lore.kernel.org/linux-cve-announce/2025032700-CVE-2022-49751-bf8f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49752",
"url": "https://lore.kernel.org/linux-cve-announce/2025032700-CVE-2022-49752-19a3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49753",
"url": "https://lore.kernel.org/linux-cve-announce/2025032701-CVE-2022-49753-d1ce@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49754",
"url": "https://lore.kernel.org/linux-cve-announce/2025032701-CVE-2022-49754-cc36@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49755",
"url": "https://lore.kernel.org/linux-cve-announce/2025032701-CVE-2022-49755-dfb6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49756",
"url": "https://lore.kernel.org/linux-cve-announce/2025032701-CVE-2022-49756-7fd9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49757",
"url": "https://lore.kernel.org/linux-cve-announce/2025032702-CVE-2022-49757-a990@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49758",
"url": "https://lore.kernel.org/linux-cve-announce/2025032702-CVE-2022-49758-10e5@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49759",
"url": "https://lore.kernel.org/linux-cve-announce/2025032702-CVE-2022-49759-5392@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49760",
"url": "https://lore.kernel.org/linux-cve-announce/2025032703-CVE-2022-49760-97be@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2022-49761",
"url": "https://lore.kernel.org/linux-cve-announce/2025032703-CVE-2022-49761-9b1e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52928",
"url": "https://lore.kernel.org/linux-cve-announce/2025032718-CVE-2023-52928-e380@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52929",
"url": "https://lore.kernel.org/linux-cve-announce/2025032719-CVE-2023-52929-7900@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52930",
"url": "https://lore.kernel.org/linux-cve-announce/2025032719-CVE-2023-52930-4bbc@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52931",
"url": "https://lore.kernel.org/linux-cve-announce/2025032719-CVE-2023-52931-593f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52932",
"url": "https://lore.kernel.org/linux-cve-announce/2025032720-CVE-2023-52932-434b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52933",
"url": "https://lore.kernel.org/linux-cve-announce/2025032720-CVE-2023-52933-f292@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52934",
"url": "https://lore.kernel.org/linux-cve-announce/2025032720-CVE-2023-52934-bd3c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52935",
"url": "https://lore.kernel.org/linux-cve-announce/2025032720-CVE-2023-52935-1c3c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52936",
"url": "https://lore.kernel.org/linux-cve-announce/2025032721-CVE-2023-52936-d459@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52937",
"url": "https://lore.kernel.org/linux-cve-announce/2025032721-CVE-2023-52937-605d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52938",
"url": "https://lore.kernel.org/linux-cve-announce/2025032721-CVE-2023-52938-ee34@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52939",
"url": "https://lore.kernel.org/linux-cve-announce/2025032722-CVE-2023-52939-8bb1@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52940",
"url": "https://lore.kernel.org/linux-cve-announce/2025032722-CVE-2023-52940-2e53@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52941",
"url": "https://lore.kernel.org/linux-cve-announce/2025032722-CVE-2023-52941-7c12@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52942",
"url": "https://lore.kernel.org/linux-cve-announce/2025032723-CVE-2023-52942-6a3c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52973",
"url": "https://lore.kernel.org/linux-cve-announce/2025032703-CVE-2023-52973-a993@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52974",
"url": "https://lore.kernel.org/linux-cve-announce/2025032704-CVE-2023-52974-0aa2@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52975",
"url": "https://lore.kernel.org/linux-cve-announce/2025032704-CVE-2023-52975-155c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52976",
"url": "https://lore.kernel.org/linux-cve-announce/2025032704-CVE-2023-52976-eda3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52977",
"url": "https://lore.kernel.org/linux-cve-announce/2025032704-CVE-2023-52977-f91d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52978",
"url": "https://lore.kernel.org/linux-cve-announce/2025032705-CVE-2023-52978-6a05@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52979",
"url": "https://lore.kernel.org/linux-cve-announce/2025032705-CVE-2023-52979-ca3f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52980",
"url": "https://lore.kernel.org/linux-cve-announce/2025032705-CVE-2023-52980-0fea@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52981",
"url": "https://lore.kernel.org/linux-cve-announce/2025032706-CVE-2023-52981-070c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52982",
"url": "https://lore.kernel.org/linux-cve-announce/2025032706-CVE-2023-52982-7291@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52983",
"url": "https://lore.kernel.org/linux-cve-announce/2025032706-CVE-2023-52983-4a16@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52984",
"url": "https://lore.kernel.org/linux-cve-announce/2025032707-CVE-2023-52984-19ad@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52985",
"url": "https://lore.kernel.org/linux-cve-announce/2025032707-CVE-2023-52985-3f52@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52986",
"url": "https://lore.kernel.org/linux-cve-announce/2025032707-CVE-2023-52986-91fe@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52987",
"url": "https://lore.kernel.org/linux-cve-announce/2025032707-CVE-2023-52987-bcc0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52988",
"url": "https://lore.kernel.org/linux-cve-announce/2025032708-CVE-2023-52988-5520@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52989",
"url": "https://lore.kernel.org/linux-cve-announce/2025032708-CVE-2023-52989-1b68@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52990",
"url": "https://lore.kernel.org/linux-cve-announce/2025032708-CVE-2023-52990-befd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52991",
"url": "https://lore.kernel.org/linux-cve-announce/2025032709-CVE-2023-52991-6358@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52992",
"url": "https://lore.kernel.org/linux-cve-announce/2025032709-CVE-2023-52992-bf46@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52993",
"url": "https://lore.kernel.org/linux-cve-announce/2025032709-CVE-2023-52993-3697@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52994",
"url": "https://lore.kernel.org/linux-cve-announce/2025032710-CVE-2023-52994-5336@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52995",
"url": "https://lore.kernel.org/linux-cve-announce/2025032710-CVE-2023-52995-c28f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52996",
"url": "https://lore.kernel.org/linux-cve-announce/2025032710-CVE-2023-52996-7c1f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52997",
"url": "https://lore.kernel.org/linux-cve-announce/2025032710-CVE-2023-52997-dbca@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52998",
"url": "https://lore.kernel.org/linux-cve-announce/2025032711-CVE-2023-52998-0671@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-52999",
"url": "https://lore.kernel.org/linux-cve-announce/2025032711-CVE-2023-52999-e28e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53000",
"url": "https://lore.kernel.org/linux-cve-announce/2025032711-CVE-2023-53000-fded@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53001",
"url": "https://lore.kernel.org/linux-cve-announce/2025032712-CVE-2023-53001-f28f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53002",
"url": "https://lore.kernel.org/linux-cve-announce/2025032712-CVE-2023-53002-1f76@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53003",
"url": "https://lore.kernel.org/linux-cve-announce/2025032712-CVE-2023-53003-8256@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53004",
"url": "https://lore.kernel.org/linux-cve-announce/2025032713-CVE-2023-53004-e58b@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53005",
"url": "https://lore.kernel.org/linux-cve-announce/2025032713-CVE-2023-53005-9bf0@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53006",
"url": "https://lore.kernel.org/linux-cve-announce/2025032713-CVE-2023-53006-209f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53007",
"url": "https://lore.kernel.org/linux-cve-announce/2025032713-CVE-2023-53007-6ed4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53008",
"url": "https://lore.kernel.org/linux-cve-announce/2025032714-CVE-2023-53008-415c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53009",
"url": "https://lore.kernel.org/linux-cve-announce/2025032714-CVE-2023-53009-82cd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53010",
"url": "https://lore.kernel.org/linux-cve-announce/2025032714-CVE-2023-53010-56af@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53011",
"url": "https://lore.kernel.org/linux-cve-announce/2025032715-CVE-2023-53011-6f98@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53012",
"url": "https://lore.kernel.org/linux-cve-announce/2025032715-CVE-2023-53012-597c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53013",
"url": "https://lore.kernel.org/linux-cve-announce/2025032715-CVE-2023-53013-58dc@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53014",
"url": "https://lore.kernel.org/linux-cve-announce/2025032716-CVE-2023-53014-700f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53015",
"url": "https://lore.kernel.org/linux-cve-announce/2025032716-CVE-2023-53015-f139@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53016",
"url": "https://lore.kernel.org/linux-cve-announce/2025032716-CVE-2023-53016-f30c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53017",
"url": "https://lore.kernel.org/linux-cve-announce/2025032716-CVE-2023-53017-8dd9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53018",
"url": "https://lore.kernel.org/linux-cve-announce/2025032717-CVE-2023-53018-c89c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53019",
"url": "https://lore.kernel.org/linux-cve-announce/2025032717-CVE-2023-53019-441a@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53020",
"url": "https://lore.kernel.org/linux-cve-announce/2025032717-CVE-2023-53020-1042@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53021",
"url": "https://lore.kernel.org/linux-cve-announce/2025032718-CVE-2023-53021-def9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53022",
"url": "https://lore.kernel.org/linux-cve-announce/2025032718-CVE-2023-53022-b539@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53023",
"url": "https://lore.kernel.org/linux-cve-announce/2025032718-CVE-2023-53023-ef4e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53024",
"url": "https://lore.kernel.org/linux-cve-announce/2025032719-CVE-2023-53024-8d19@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53025",
"url": "https://lore.kernel.org/linux-cve-announce/2025032719-CVE-2023-53025-5662@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53026",
"url": "https://lore.kernel.org/linux-cve-announce/2025032719-CVE-2023-53026-0e24@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53027",
"url": "https://lore.kernel.org/linux-cve-announce/2025032719-CVE-2023-53027-dc56@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53028",
"url": "https://lore.kernel.org/linux-cve-announce/2025032720-CVE-2023-53028-8be6@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53029",
"url": "https://lore.kernel.org/linux-cve-announce/2025032720-CVE-2023-53029-a670@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53030",
"url": "https://lore.kernel.org/linux-cve-announce/2025032720-CVE-2023-53030-ba50@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53031",
"url": "https://lore.kernel.org/linux-cve-announce/2025032721-CVE-2023-53031-39cd@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53032",
"url": "https://lore.kernel.org/linux-cve-announce/2025032721-CVE-2023-53032-70ce@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2023-53033",
"url": "https://lore.kernel.org/linux-cve-announce/2025032721-CVE-2023-53033-9089@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2024-58090",
"url": "https://lore.kernel.org/linux-cve-announce/2025032703-CVE-2024-58090-fddc@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2024-58091",
"url": "https://lore.kernel.org/linux-cve-announce/2025032709-CVE-2024-58091-a2a4@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21867",
"url": "https://lore.kernel.org/linux-cve-announce/2025032732-CVE-2025-21867-3138@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21868",
"url": "https://lore.kernel.org/linux-cve-announce/2025032734-CVE-2025-21868-ef4f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21869",
"url": "https://lore.kernel.org/linux-cve-announce/2025032734-CVE-2025-21869-b4a7@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21870",
"url": "https://lore.kernel.org/linux-cve-announce/2025032735-CVE-2025-21870-4c78@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21871",
"url": "https://lore.kernel.org/linux-cve-announce/2025032735-CVE-2025-21871-bb8c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21872",
"url": "https://lore.kernel.org/linux-cve-announce/2025032709-CVE-2025-21872-574e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21873",
"url": "https://lore.kernel.org/linux-cve-announce/2025032709-CVE-2025-21873-311e@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21874",
"url": "https://lore.kernel.org/linux-cve-announce/2025032710-CVE-2025-21874-d5d9@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21875",
"url": "https://lore.kernel.org/linux-cve-announce/2025032710-CVE-2025-21875-8eca@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21876",
"url": "https://lore.kernel.org/linux-cve-announce/2025032710-CVE-2025-21876-6c2f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21877",
"url": "https://lore.kernel.org/linux-cve-announce/2025032711-CVE-2025-21877-de70@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21878",
"url": "https://lore.kernel.org/linux-cve-announce/2025032711-CVE-2025-21878-3c82@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21879",
"url": "https://lore.kernel.org/linux-cve-announce/2025032711-CVE-2025-21879-f338@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21880",
"url": "https://lore.kernel.org/linux-cve-announce/2025032711-CVE-2025-21880-f716@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21881",
"url": "https://lore.kernel.org/linux-cve-announce/2025032712-CVE-2025-21881-7a0f@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21882",
"url": "https://lore.kernel.org/linux-cve-announce/2025032712-CVE-2025-21882-cc4d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21883",
"url": "https://lore.kernel.org/linux-cve-announce/2025032712-CVE-2025-21883-8b73@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21884",
"url": "https://lore.kernel.org/linux-cve-announce/2025032713-CVE-2025-21884-b70c@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21885",
"url": "https://lore.kernel.org/linux-cve-announce/2025032713-CVE-2025-21885-be9d@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21886",
"url": "https://lore.kernel.org/linux-cve-announce/2025032713-CVE-2025-21886-9ca3@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21887",
"url": "https://lore.kernel.org/linux-cve-announce/2025032714-CVE-2025-21887-48e8@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21888",
"url": "https://lore.kernel.org/linux-cve-announce/2025032714-CVE-2025-21888-0f83@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21889",
"url": "https://lore.kernel.org/linux-cve-announce/2025032714-CVE-2025-21889-0913@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21890",
"url": "https://lore.kernel.org/linux-cve-announce/2025032714-CVE-2025-21890-f286@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21891",
"url": "https://lore.kernel.org/linux-cve-announce/2025032715-CVE-2025-21891-8717@gregkh/"
},
{
"category": "external",
"summary": "Linux Kernel CVE Announcement CVE-2025-21892",
"url": "https://lore.kernel.org/linux-cve-announce/2025032715-CVE-2025-21892-12a2@gregkh/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1176-1 vom 2025-04-08",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-April/020671.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1178-1 vom 2025-04-08",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-April/020674.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1177-1 vom 2025-04-08",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-April/020670.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1180-1 vom 2025-04-09",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/DGJ23MSZWYIA7MJ47RNVV6T27Z324VKA/"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1183-1 vom 2025-04-09",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-April/020678.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1195-1 vom 2025-04-10",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-April/020680.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1194-1 vom 2025-04-10",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-April/020681.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-5900 vom 2025-04-12",
"url": "https://lists.debian.org/debian-security-announce/2025/msg00062.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1241-1 vom 2025-04-14",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-April/020694.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1263-1 vom 2025-04-15",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/Q4U3LRNKLFTX56NC6NKHFDU35E5WDD75/"
},
{
"category": "external",
"summary": "Container-Optimized OS release notes vom 2025-04-16",
"url": "https://cloud.google.com/container-optimized-os/docs/release-notes#April_14_2025"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1293-1 vom 2025-04-16",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-April/020712.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALASKERNEL-5.10-2025-090 vom 2025-04-29",
"url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2025-090.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2025-1975 vom 2025-04-30",
"url": "https://alas.aws.amazon.com/ALAS-2025-1975.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALASKERNEL-5.4-2025-100 vom 2025-04-29",
"url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2025-100.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALASKERNEL-5.10-2025-089 vom 2025-04-29",
"url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2025-089.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2025-2834 vom 2025-04-30",
"url": "https://alas.aws.amazon.com/AL2/ALAS-2025-2834.html"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALAS-2025-2837 vom 2025-04-30",
"url": "https://alas.aws.amazon.com/AL2/ALAS-2025-2837.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7514-1 vom 2025-05-16",
"url": "https://ubuntu.com/security/notices/USN-7514-1"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7516-1 vom 2025-05-16",
"url": "https://ubuntu.com/security/notices/USN-7516-1"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7510-1 vom 2025-05-16",
"url": "https://ubuntu.com/security/notices/USN-7510-1"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1574-1 vom 2025-05-16",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020835.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:1573-1 vom 2025-05-16",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020836.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7512-1 vom 2025-05-16",
"url": "https://ubuntu.com/security/notices/USN-7512-1"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7511-1 vom 2025-05-16",
"url": "https://ubuntu.com/security/notices/USN-7511-1"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7510-2 vom 2025-05-16",
"url": "https://ubuntu.com/security/notices/USN-7510-2"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7516-2 vom 2025-05-16",
"url": "https://ubuntu.com/security/notices/USN-7511-2"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7517-1 vom 2025-05-16",
"url": "https://ubuntu.com/security/notices/USN-7517-1"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7518-1 vom 2025-05-20",
"url": "https://ubuntu.com/security/notices/USN-7518-1"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7510-3 vom 2025-05-20",
"url": "https://ubuntu.com/security/notices/USN-7510-3"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7510-4 vom 2025-05-20",
"url": "https://ubuntu.com/security/notices/USN-7510-4"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7521-1 vom 2025-05-20",
"url": "https://ubuntu.com/security/notices/USN-7521-1"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01600-1 vom 2025-05-20",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020854.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7522-1 vom 2025-05-20",
"url": "https://ubuntu.com/security/notices/USN-7522-1"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7516-3 vom 2025-05-20",
"url": "https://ubuntu.com/security/notices/USN-7516-3"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7511-3 vom 2025-05-20",
"url": "https://ubuntu.com/security/notices/USN-7511-3"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7510-5 vom 2025-05-20",
"url": "https://ubuntu.com/security/notices/USN-7510-5"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01627-1 vom 2025-05-21",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020866.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7516-4 vom 2025-05-21",
"url": "https://ubuntu.com/security/notices/USN-7516-4"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7517-2 vom 2025-05-21",
"url": "https://ubuntu.com/security/notices/USN-7517-2"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01640-1 vom 2025-05-21",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020861.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01633-1 vom 2025-05-21",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020864.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01620-1 vom 2025-05-21",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020867.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01614-1 vom 2025-05-21",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020870.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7516-5 vom 2025-05-23",
"url": "https://ubuntu.com/security/notices/USN-7516-5"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7521-2 vom 2025-05-22",
"url": "https://ubuntu.com/security/notices/USN-7521-2"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7517-3 vom 2025-05-26",
"url": "https://ubuntu.com/security/notices/USN-7517-3"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4178 vom 2025-05-26",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7516-6 vom 2025-05-26",
"url": "https://ubuntu.com/security/notices/USN-7516-6"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01707-1 vom 2025-05-26",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020902.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7510-6 vom 2025-05-27",
"url": "https://ubuntu.com/security/notices/USN-7510-6"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7510-7 vom 2025-05-28",
"url": "https://ubuntu.com/security/notices/USN-7510-7"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7540-1 vom 2025-05-28",
"url": "https://ubuntu.com/security/notices/USN-7540-1"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7521-3 vom 2025-05-28",
"url": "https://ubuntu.com/security/notices/USN-7521-3"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7539-1 vom 2025-05-28",
"url": "https://ubuntu.com/security/notices/USN-7539-1"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20343-1 vom 2025-05-29",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020965.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7510-8 vom 2025-05-29",
"url": "https://ubuntu.com/security/notices/USN-7510-8"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20344-1 vom 2025-05-29",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-May/020964.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7516-9 vom 2025-05-29",
"url": "https://ubuntu.com/security/notices/USN-7516-9"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7516-8 vom 2025-05-29",
"url": "https://ubuntu.com/security/notices/USN-7516-8"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4193 vom 2025-05-30",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7516-7 vom 2025-05-29",
"url": "https://ubuntu.com/security/notices/USN-7516-7"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20354-1 vom 2025-06-02",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021016.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20355-1 vom 2025-06-02",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021015.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20283-1 vom 2025-06-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021049.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20270-1 vom 2025-06-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021056.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20260-1 vom 2025-06-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021058.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20206-1 vom 2025-06-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021137.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20192-1 vom 2025-06-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021150.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20190-1 vom 2025-06-04",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021154.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01919-1 vom 2025-06-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021477.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01918-1 vom 2025-06-12",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021478.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01951-1 vom 2025-06-13",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021509.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:9079 vom 2025-06-16",
"url": "https://access.redhat.com/errata/RHSA-2025:9079"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01967-1 vom 2025-06-16",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021533.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01964-1 vom 2025-06-16",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021531.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:01983-1 vom 2025-06-17",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021538.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20413-1 vom 2025-06-17",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021547.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:20421-1 vom 2025-06-20",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021590.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:9302 vom 2025-06-23",
"url": "https://access.redhat.com/errata/RHSA-2025:9302"
},
{
"category": "external",
"summary": "Amazon Linux Security Advisory ALASKERNEL-5.4-2025-103 vom 2025-06-24",
"url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2025-103.html"
},
{
"category": "external",
"summary": "Ubuntu Security Notice USN-7593-1 vom 2025-06-24",
"url": "https://ubuntu.com/security/notices/USN-7593-1"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-9302 vom 2025-06-24",
"url": "https://linux.oracle.com/errata/ELSA-2025-9302.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2025:02099-1 vom 2025-06-25",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021644.html"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-9580 vom 2025-06-26",
"url": "https://linux.oracle.com/errata/ELSA-2025-9580.html"
}
],
"source_lang": "en-US",
"title": "Linux Kernel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-06-25T22:00:00.000+00:00",
"generator": {
"date": "2025-06-26T06:56:20.982+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2025-0649",
"initial_release_date": "2025-03-27T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-03-27T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-04-08T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-04-09T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-04-10T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-04-13T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Debian aufgenommen"
},
{
"date": "2025-04-14T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-04-15T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-04-29T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2025-05-01T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von Amazon aufgenommen"
},
{
"date": "2025-05-18T22:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Ubuntu und SUSE aufgenommen"
},
{
"date": "2025-05-19T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2025-05-20T22:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Ubuntu und SUSE aufgenommen"
},
{
"date": "2025-05-21T22:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von SUSE und Ubuntu aufgenommen"
},
{
"date": "2025-05-22T22:00:00.000+00:00",
"number": "14",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2025-05-26T22:00:00.000+00:00",
"number": "15",
"summary": "Neue Updates von Ubuntu, Debian und SUSE aufgenommen"
},
{
"date": "2025-05-27T22:00:00.000+00:00",
"number": "16",
"summary": "Neue Updates von Ubuntu aufgenommen"
},
{
"date": "2025-05-29T22:00:00.000+00:00",
"number": "17",
"summary": "Neue Updates von SUSE, Ubuntu und Debian aufgenommen"
},
{
"date": "2025-06-02T22:00:00.000+00:00",
"number": "18",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-06-03T22:00:00.000+00:00",
"number": "19",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-06-11T22:00:00.000+00:00",
"number": "20",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-06-15T22:00:00.000+00:00",
"number": "21",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-06-16T22:00:00.000+00:00",
"number": "22",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-06-17T22:00:00.000+00:00",
"number": "23",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-06-19T22:00:00.000+00:00",
"number": "24",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-06-22T22:00:00.000+00:00",
"number": "25",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-06-23T22:00:00.000+00:00",
"number": "26",
"summary": "Neue Updates von Amazon und Ubuntu aufgenommen"
},
{
"date": "2025-06-24T22:00:00.000+00:00",
"number": "27",
"summary": "Neue Updates von SUSE aufgenommen"
},
{
"date": "2025-06-25T22:00:00.000+00:00",
"number": "28",
"summary": "Neue Updates von Oracle Linux aufgenommen"
}
],
"status": "final",
"version": "28"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Amazon Linux 2",
"product": {
"name": "Amazon Linux 2",
"product_id": "398363",
"product_identification_helper": {
"cpe": "cpe:/o:amazon:linux_2:-"
}
}
}
],
"category": "vendor",
"name": "Amazon"
},
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"category": "product_name",
"name": "Google Container-Optimized OS",
"product": {
"name": "Google Container-Optimized OS",
"product_id": "1607324",
"product_identification_helper": {
"cpe": "cpe:/o:google:container-optimized_os:-"
}
}
}
],
"category": "vendor",
"name": "Google"
},
{
"branches": [
{
"category": "product_name",
"name": "Open Source Linux Kernel",
"product": {
"name": "Open Source Linux Kernel",
"product_id": "T042207",
"product_identification_helper": {
"cpe": "cpe:/o:linux:linux_kernel:-"
}
}
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
},
{
"branches": [
{
"category": "product_name",
"name": "Ubuntu Linux",
"product": {
"name": "Ubuntu Linux",
"product_id": "T000126",
"product_identification_helper": {
"cpe": "cpe:/o:canonical:ubuntu_linux:-"
}
}
}
],
"category": "vendor",
"name": "Ubuntu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-4454",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2021-4454"
},
{
"cve": "CVE-2022-49738",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49738"
},
{
"cve": "CVE-2022-49739",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49739"
},
{
"cve": "CVE-2022-49740",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49740"
},
{
"cve": "CVE-2022-49741",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49741"
},
{
"cve": "CVE-2022-49742",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49742"
},
{
"cve": "CVE-2022-49743",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49743"
},
{
"cve": "CVE-2022-49744",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49744"
},
{
"cve": "CVE-2022-49745",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49745"
},
{
"cve": "CVE-2022-49746",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49746"
},
{
"cve": "CVE-2022-49747",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49747"
},
{
"cve": "CVE-2022-49748",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49748"
},
{
"cve": "CVE-2022-49749",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49749"
},
{
"cve": "CVE-2022-49750",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49750"
},
{
"cve": "CVE-2022-49751",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49751"
},
{
"cve": "CVE-2022-49752",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49752"
},
{
"cve": "CVE-2022-49753",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49753"
},
{
"cve": "CVE-2022-49754",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49754"
},
{
"cve": "CVE-2022-49755",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49755"
},
{
"cve": "CVE-2022-49756",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49756"
},
{
"cve": "CVE-2022-49757",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49757"
},
{
"cve": "CVE-2022-49758",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49758"
},
{
"cve": "CVE-2022-49759",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49759"
},
{
"cve": "CVE-2022-49760",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49760"
},
{
"cve": "CVE-2022-49761",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2022-49761"
},
{
"cve": "CVE-2023-0179",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-0179"
},
{
"cve": "CVE-2023-52928",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52928"
},
{
"cve": "CVE-2023-52929",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52929"
},
{
"cve": "CVE-2023-52930",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52930"
},
{
"cve": "CVE-2023-52931",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52931"
},
{
"cve": "CVE-2023-52932",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52932"
},
{
"cve": "CVE-2023-52933",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52933"
},
{
"cve": "CVE-2023-52934",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52934"
},
{
"cve": "CVE-2023-52935",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52935"
},
{
"cve": "CVE-2023-52936",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52936"
},
{
"cve": "CVE-2023-52937",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52937"
},
{
"cve": "CVE-2023-52938",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52938"
},
{
"cve": "CVE-2023-52939",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52939"
},
{
"cve": "CVE-2023-52940",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52940"
},
{
"cve": "CVE-2023-52941",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52941"
},
{
"cve": "CVE-2023-52942",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52942"
},
{
"cve": "CVE-2023-52973",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52973"
},
{
"cve": "CVE-2023-52974",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52974"
},
{
"cve": "CVE-2023-52975",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52975"
},
{
"cve": "CVE-2023-52976",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52976"
},
{
"cve": "CVE-2023-52977",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52977"
},
{
"cve": "CVE-2023-52978",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52978"
},
{
"cve": "CVE-2023-52979",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52979"
},
{
"cve": "CVE-2023-52980",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52980"
},
{
"cve": "CVE-2023-52981",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52981"
},
{
"cve": "CVE-2023-52982",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52982"
},
{
"cve": "CVE-2023-52983",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52983"
},
{
"cve": "CVE-2023-52984",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52984"
},
{
"cve": "CVE-2023-52985",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52985"
},
{
"cve": "CVE-2023-52986",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52986"
},
{
"cve": "CVE-2023-52987",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52987"
},
{
"cve": "CVE-2023-52988",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52988"
},
{
"cve": "CVE-2023-52989",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52989"
},
{
"cve": "CVE-2023-52990",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52990"
},
{
"cve": "CVE-2023-52991",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52991"
},
{
"cve": "CVE-2023-52992",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52992"
},
{
"cve": "CVE-2023-52993",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52993"
},
{
"cve": "CVE-2023-52994",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52994"
},
{
"cve": "CVE-2023-52995",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52995"
},
{
"cve": "CVE-2023-52996",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52996"
},
{
"cve": "CVE-2023-52997",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52997"
},
{
"cve": "CVE-2023-52998",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52998"
},
{
"cve": "CVE-2023-52999",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-52999"
},
{
"cve": "CVE-2023-53000",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53000"
},
{
"cve": "CVE-2023-53001",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53001"
},
{
"cve": "CVE-2023-53002",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53002"
},
{
"cve": "CVE-2023-53003",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53003"
},
{
"cve": "CVE-2023-53004",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53004"
},
{
"cve": "CVE-2023-53005",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53005"
},
{
"cve": "CVE-2023-53006",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53006"
},
{
"cve": "CVE-2023-53007",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53007"
},
{
"cve": "CVE-2023-53008",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53008"
},
{
"cve": "CVE-2023-53009",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53009"
},
{
"cve": "CVE-2023-53010",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53010"
},
{
"cve": "CVE-2023-53011",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53011"
},
{
"cve": "CVE-2023-53012",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53012"
},
{
"cve": "CVE-2023-53013",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53013"
},
{
"cve": "CVE-2023-53014",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53014"
},
{
"cve": "CVE-2023-53015",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53015"
},
{
"cve": "CVE-2023-53016",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53016"
},
{
"cve": "CVE-2023-53017",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53017"
},
{
"cve": "CVE-2023-53018",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53018"
},
{
"cve": "CVE-2023-53019",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53019"
},
{
"cve": "CVE-2023-53020",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53020"
},
{
"cve": "CVE-2023-53021",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53021"
},
{
"cve": "CVE-2023-53022",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53022"
},
{
"cve": "CVE-2023-53023",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53023"
},
{
"cve": "CVE-2023-53024",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53024"
},
{
"cve": "CVE-2023-53025",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53025"
},
{
"cve": "CVE-2023-53026",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53026"
},
{
"cve": "CVE-2023-53027",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53027"
},
{
"cve": "CVE-2023-53028",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53028"
},
{
"cve": "CVE-2023-53029",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53029"
},
{
"cve": "CVE-2023-53030",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53030"
},
{
"cve": "CVE-2023-53031",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53031"
},
{
"cve": "CVE-2023-53032",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53032"
},
{
"cve": "CVE-2023-53033",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2023-53033"
},
{
"cve": "CVE-2024-58090",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2024-58090"
},
{
"cve": "CVE-2024-58091",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2024-58091"
},
{
"cve": "CVE-2025-21867",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21867"
},
{
"cve": "CVE-2025-21868",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21868"
},
{
"cve": "CVE-2025-21869",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21869"
},
{
"cve": "CVE-2025-21870",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21870"
},
{
"cve": "CVE-2025-21871",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21871"
},
{
"cve": "CVE-2025-21872",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21872"
},
{
"cve": "CVE-2025-21873",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21873"
},
{
"cve": "CVE-2025-21874",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21874"
},
{
"cve": "CVE-2025-21875",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21875"
},
{
"cve": "CVE-2025-21876",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21876"
},
{
"cve": "CVE-2025-21877",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21877"
},
{
"cve": "CVE-2025-21878",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21878"
},
{
"cve": "CVE-2025-21879",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21879"
},
{
"cve": "CVE-2025-21880",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21880"
},
{
"cve": "CVE-2025-21881",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21881"
},
{
"cve": "CVE-2025-21882",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21882"
},
{
"cve": "CVE-2025-21883",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21883"
},
{
"cve": "CVE-2025-21884",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21884"
},
{
"cve": "CVE-2025-21885",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21885"
},
{
"cve": "CVE-2025-21886",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21886"
},
{
"cve": "CVE-2025-21887",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21887"
},
{
"cve": "CVE-2025-21888",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21888"
},
{
"cve": "CVE-2025-21889",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21889"
},
{
"cve": "CVE-2025-21890",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21890"
},
{
"cve": "CVE-2025-21891",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21891"
},
{
"cve": "CVE-2025-21892",
"product_status": {
"known_affected": [
"2951",
"T002207",
"67646",
"T000126",
"T042207",
"398363",
"T004914",
"1607324"
]
},
"release_date": "2025-03-27T23:00:00.000+00:00",
"title": "CVE-2025-21892"
}
]
}
CVE-2025-21877 (GCVE-0-2025-21877)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usbnet: gl620a: fix endpoint checking in genelink_bind()
Syzbot reports [1] a warning in usb_submit_urb() triggered by
inconsistencies between expected and actually present endpoints
in gl620a driver. Since genelink_bind() does not properly
verify whether specified eps are in fact provided by the device,
in this case, an artificially manufactured one, one may get a
mismatch.
Fix the issue by resorting to a usbnet utility function
usbnet_get_endpoints(), usually reserved for this very problem.
Check for endpoints and return early before proceeding further if
any are missing.
[1] Syzbot report:
usb 5-1: Manufacturer: syz
usb 5-1: SerialNumber: syz
usb 5-1: config 0 descriptor??
gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ...
------------[ cut here ]------------
usb 5-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
Modules linked in:
CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: mld mld_ifc_work
RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503
...
Call Trace:
<TASK>
usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467
__netdev_start_xmit include/linux/netdevice.h:5002 [inline]
netdev_start_xmit include/linux/netdevice.h:5011 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606
sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343
__dev_xmit_skb net/core/dev.c:3827 [inline]
__dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400
dev_queue_xmit include/linux/netdevice.h:3168 [inline]
neigh_resolve_output net/core/neighbour.c:1514 [inline]
neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494
neigh_output include/net/neighbour.h:539 [inline]
ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141
__ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247
dst_output include/net/dst.h:450 [inline]
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819
mld_send_cr net/ipv6/mcast.c:2120 [inline]
mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f Version: 47ee3051c856cc2aa95d35d577a8cb37279d540f |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/gl620a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5f2dbabbce04b1ffcd6d8d07564adb94db577536",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "24dd971104057c8828d420a48e0a5af6e6f30d3e",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "67ebc3391c8377738e97a43374054d9718fdb6e4",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "a2ee5e55b50a97d13617c8653482c0ad4decff8c",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "4e8b8d43373bf837be159366f0192502f97ec7a5",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "ded25730c96949cb8b048b29c557e38569124943",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
},
{
"lessThan": "1cf9631d836b289bd5490776551961c883ae8a4f",
"status": "affected",
"version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/gl620a.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.14"
},
{
"lessThan": "2.6.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "2.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "2.6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: gl620a: fix endpoint checking in genelink_bind()\n\nSyzbot reports [1] a warning in usb_submit_urb() triggered by\ninconsistencies between expected and actually present endpoints\nin gl620a driver. Since genelink_bind() does not properly\nverify whether specified eps are in fact provided by the device,\nin this case, an artificially manufactured one, one may get a\nmismatch.\n\nFix the issue by resorting to a usbnet utility function\nusbnet_get_endpoints(), usually reserved for this very problem.\nCheck for endpoints and return early before proceeding further if\nany are missing.\n\n[1] Syzbot report:\nusb 5-1: Manufacturer: syz\nusb 5-1: SerialNumber: syz\nusb 5-1: config 0 descriptor??\ngl620a 5-1:0.23 usb0: register \u0027gl620a\u0027 at usb-dummy_hcd.0-1, ...\n------------[ cut here ]------------\nusb 5-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\nModules linked in:\nCPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: mld mld_ifc_work\nRIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \u003cTASK\u003e\n usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467\n __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n xmit_one net/core/dev.c:3590 [inline]\n dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606\n sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343\n __dev_xmit_skb net/core/dev.c:3827 [inline]\n __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n neigh_resolve_output net/core/neighbour.c:1514 [inline]\n neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494\n neigh_output include/net/neighbour.h:539 [inline]\n ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141\n __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]\n ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247\n dst_output include/net/dst.h:450 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819\n mld_send_cr net/ipv6/mcast.c:2120 [inline]\n mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651\n process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229\n process_scheduled_works kernel/workqueue.c:3310 [inline]\n worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:09.089Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5f2dbabbce04b1ffcd6d8d07564adb94db577536"
},
{
"url": "https://git.kernel.org/stable/c/24dd971104057c8828d420a48e0a5af6e6f30d3e"
},
{
"url": "https://git.kernel.org/stable/c/9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc"
},
{
"url": "https://git.kernel.org/stable/c/67ebc3391c8377738e97a43374054d9718fdb6e4"
},
{
"url": "https://git.kernel.org/stable/c/a2ee5e55b50a97d13617c8653482c0ad4decff8c"
},
{
"url": "https://git.kernel.org/stable/c/4e8b8d43373bf837be159366f0192502f97ec7a5"
},
{
"url": "https://git.kernel.org/stable/c/ded25730c96949cb8b048b29c557e38569124943"
},
{
"url": "https://git.kernel.org/stable/c/1cf9631d836b289bd5490776551961c883ae8a4f"
}
],
"title": "usbnet: gl620a: fix endpoint checking in genelink_bind()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21877",
"datePublished": "2025-03-27T14:57:07.462Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:23:09.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52981 (GCVE-0-2023-52981)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix request ref counting during error capture & debugfs dump
When GuC support was added to error capture, the reference counting
around the request object was broken. Fix it up.
The context based search manages the spinlocking around the search
internally. So it needs to grab the reference count internally as
well. The execlist only request based search relies on external
locking, so it needs an external reference count but within the
spinlock not outside it.
The only other caller of the context based search is the code for
dumping engine state to debugfs. That code wasn't previously getting
an explicit reference at all as it does everything while holding the
execlist specific spinlock. So, that needs updaing as well as that
spinlock doesn't help when using GuC submission. Rather than trying to
conditionally get/put depending on submission model, just change it to
always do the get/put.
v2: Explicitly document adding an extra blank line in some dense code
(Andy Shevchenko). Fix multiple potential null pointer derefs in case
of no request found (some spotted by Tvrtko, but there was more!).
Also fix a leaked request in case of !started and another in
__guc_reset_context now that intel_context_find_active_request is
actually reference counting the returned request.
v3: Add a _get suffix to intel_context_find_active_request now that it
grabs a reference (Daniele).
v4: Split the intel_guc_find_hung_context change to a separate patch
and rename intel_context_find_active_request_get to
intel_context_get_active_request (Tvrtko).
v5: s/locking/reference counting/ in commit message (Tvrtko)
(cherry picked from commit 3700e353781e27f1bc7222f51f2cc36cbeb9b4ec)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_context.c",
"drivers/gpu/drm/i915/gt/intel_context.h",
"drivers/gpu/drm/i915/gt/intel_engine_cs.c",
"drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c",
"drivers/gpu/drm/i915/i915_gpu_error.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9467397f417dd7b5d0db91452f0474e79716a527",
"status": "affected",
"version": "573ba126aef37c8315e5bb68d2dad515efa96994",
"versionType": "git"
},
{
"lessThan": "86d8ddc74124c3fdfc139f246ba6da15e45e86e3",
"status": "affected",
"version": "573ba126aef37c8315e5bb68d2dad515efa96994",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gt/intel_context.c",
"drivers/gpu/drm/i915/gt/intel_context.h",
"drivers/gpu/drm/i915/gt/intel_engine_cs.c",
"drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c",
"drivers/gpu/drm/i915/i915_gpu_error.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix request ref counting during error capture \u0026 debugfs dump\n\nWhen GuC support was added to error capture, the reference counting\naround the request object was broken. Fix it up.\n\nThe context based search manages the spinlocking around the search\ninternally. So it needs to grab the reference count internally as\nwell. The execlist only request based search relies on external\nlocking, so it needs an external reference count but within the\nspinlock not outside it.\n\nThe only other caller of the context based search is the code for\ndumping engine state to debugfs. That code wasn\u0027t previously getting\nan explicit reference at all as it does everything while holding the\nexeclist specific spinlock. So, that needs updaing as well as that\nspinlock doesn\u0027t help when using GuC submission. Rather than trying to\nconditionally get/put depending on submission model, just change it to\nalways do the get/put.\n\nv2: Explicitly document adding an extra blank line in some dense code\n(Andy Shevchenko). Fix multiple potential null pointer derefs in case\nof no request found (some spotted by Tvrtko, but there was more!).\nAlso fix a leaked request in case of !started and another in\n__guc_reset_context now that intel_context_find_active_request is\nactually reference counting the returned request.\nv3: Add a _get suffix to intel_context_find_active_request now that it\ngrabs a reference (Daniele).\nv4: Split the intel_guc_find_hung_context change to a separate patch\nand rename intel_context_find_active_request_get to\nintel_context_get_active_request (Tvrtko).\nv5: s/locking/reference counting/ in commit message (Tvrtko)\n\n(cherry picked from commit 3700e353781e27f1bc7222f51f2cc36cbeb9b4ec)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:46.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9467397f417dd7b5d0db91452f0474e79716a527"
},
{
"url": "https://git.kernel.org/stable/c/86d8ddc74124c3fdfc139f246ba6da15e45e86e3"
}
],
"title": "drm/i915: Fix request ref counting during error capture \u0026 debugfs dump",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52981",
"datePublished": "2025-03-27T16:43:20.111Z",
"dateReserved": "2025-03-27T16:40:15.740Z",
"dateUpdated": "2025-05-04T07:46:46.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52996 (GCVE-0-2023-52996)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: prevent potential spectre v1 gadget in fib_metrics_match()
if (!type)
continue;
if (type > RTAX_MAX)
return false;
...
fi_val = fi->fib_metrics->metrics[type - 1];
@type being used as an array index, we need to prevent
cpu speculation or risk leaking kernel memory content.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 5f9ae3d9e7e4ad6db0491abc7c4ae5452dbeadd8 Version: 5f9ae3d9e7e4ad6db0491abc7c4ae5452dbeadd8 Version: 5f9ae3d9e7e4ad6db0491abc7c4ae5452dbeadd8 Version: 5f9ae3d9e7e4ad6db0491abc7c4ae5452dbeadd8 Version: 5f9ae3d9e7e4ad6db0491abc7c4ae5452dbeadd8 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_semantics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8f0eb24f1a7a60ce635f0d757a46f1a37a4d467d",
"status": "affected",
"version": "5f9ae3d9e7e4ad6db0491abc7c4ae5452dbeadd8",
"versionType": "git"
},
{
"lessThan": "7f9828fb1f688210e681268490576f0ca65c322a",
"status": "affected",
"version": "5f9ae3d9e7e4ad6db0491abc7c4ae5452dbeadd8",
"versionType": "git"
},
{
"lessThan": "ca3cf947760de050d558293002ad3e7f4b8745d2",
"status": "affected",
"version": "5f9ae3d9e7e4ad6db0491abc7c4ae5452dbeadd8",
"versionType": "git"
},
{
"lessThan": "f9753ebd61be2d957b5504cbd3fd719674f05b7a",
"status": "affected",
"version": "5f9ae3d9e7e4ad6db0491abc7c4ae5452dbeadd8",
"versionType": "git"
},
{
"lessThan": "5e9398a26a92fc402d82ce1f97cc67d832527da0",
"status": "affected",
"version": "5f9ae3d9e7e4ad6db0491abc7c4ae5452dbeadd8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/fib_semantics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: prevent potential spectre v1 gadget in fib_metrics_match()\n\nif (!type)\n continue;\n if (type \u003e RTAX_MAX)\n return false;\n ...\n fi_val = fi-\u003efib_metrics-\u003emetrics[type - 1];\n\n@type being used as an array index, we need to prevent\ncpu speculation or risk leaking kernel memory content."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:10.247Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8f0eb24f1a7a60ce635f0d757a46f1a37a4d467d"
},
{
"url": "https://git.kernel.org/stable/c/7f9828fb1f688210e681268490576f0ca65c322a"
},
{
"url": "https://git.kernel.org/stable/c/ca3cf947760de050d558293002ad3e7f4b8745d2"
},
{
"url": "https://git.kernel.org/stable/c/f9753ebd61be2d957b5504cbd3fd719674f05b7a"
},
{
"url": "https://git.kernel.org/stable/c/5e9398a26a92fc402d82ce1f97cc67d832527da0"
}
],
"title": "ipv4: prevent potential spectre v1 gadget in fib_metrics_match()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52996",
"datePublished": "2025-03-27T16:43:30.547Z",
"dateReserved": "2025-03-27T16:40:15.742Z",
"dateUpdated": "2025-05-04T07:47:10.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52940 (GCVE-0-2023-52940)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: multi-gen LRU: fix crash during cgroup migration
lru_gen_migrate_mm() assumes lru_gen_add_mm() runs prior to itself. This
isn't true for the following scenario:
CPU 1 CPU 2
clone()
cgroup_can_fork()
cgroup_procs_write()
cgroup_post_fork()
task_lock()
lru_gen_migrate_mm()
task_unlock()
task_lock()
lru_gen_add_mm()
task_unlock()
And when the above happens, kernel crashes because of linked list
corruption (mm_struct->lru_gen.list).
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/vmscan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "04448022311cebd30969d3aebdde765f1258b360",
"status": "affected",
"version": "bd74fdaea146029e4fa12c6de89adbe0779348a9",
"versionType": "git"
},
{
"lessThan": "de08eaa6156405f2e9369f06ba5afae0e4ab3b62",
"status": "affected",
"version": "bd74fdaea146029e4fa12c6de89adbe0779348a9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/vmscan.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: multi-gen LRU: fix crash during cgroup migration\n\nlru_gen_migrate_mm() assumes lru_gen_add_mm() runs prior to itself. This\nisn\u0027t true for the following scenario:\n\n CPU 1 CPU 2\n\n clone()\n cgroup_can_fork()\n cgroup_procs_write()\n cgroup_post_fork()\n task_lock()\n lru_gen_migrate_mm()\n task_unlock()\n task_lock()\n lru_gen_add_mm()\n task_unlock()\n\nAnd when the above happens, kernel crashes because of linked list\ncorruption (mm_struct-\u003elru_gen.list)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:26.824Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/04448022311cebd30969d3aebdde765f1258b360"
},
{
"url": "https://git.kernel.org/stable/c/de08eaa6156405f2e9369f06ba5afae0e4ab3b62"
}
],
"title": "mm: multi-gen LRU: fix crash during cgroup migration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52940",
"datePublished": "2025-03-27T16:37:18.691Z",
"dateReserved": "2024-08-21T06:07:11.022Z",
"dateUpdated": "2025-05-04T07:46:26.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4454 (GCVE-0-2021-4454)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 12:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate
The conclusion "j1939_session_deactivate() should be called with a
session ref-count of at least 2" is incorrect. In some concurrent
scenarios, j1939_session_deactivate can be called with the session
ref-count less than 2. But there is not any problem because it
will check the session active state before session putting in
j1939_session_deactivate_locked().
Here is the concurrent scenario of the problem reported by syzbot
and my reproduction log.
cpu0 cpu1
j1939_xtp_rx_eoma
j1939_xtp_rx_abort_one
j1939_session_get_by_addr [kref == 2]
j1939_session_get_by_addr [kref == 3]
j1939_session_deactivate [kref == 2]
j1939_session_put [kref == 1]
j1939_session_completed
j1939_session_deactivate
WARN_ON_ONCE(kref < 2)
=====================================================
WARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70
CPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
RIP: 0010:j1939_session_deactivate+0x5f/0x70
Call Trace:
j1939_session_deactivate_activate_next+0x11/0x28
j1939_xtp_rx_eoma+0x12a/0x180
j1939_tp_recv+0x4a2/0x510
j1939_can_recv+0x226/0x380
can_rcv_filter+0xf8/0x220
can_receive+0x102/0x220
? process_backlog+0xf0/0x2c0
can_rcv+0x53/0xf0
__netif_receive_skb_one_core+0x67/0x90
? process_backlog+0x97/0x2c0
__netif_receive_skb+0x22/0x80
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 7eef18c0479ba5d9f54fba30cd77c233ebca3eb1 Version: 55dd22c5d029423f513fd849e633adf0e9c10d0c Version: 0c71437dd50dd687c15d8ca80b3b68f10bb21d63 Version: 0c71437dd50dd687c15d8ca80b3b68f10bb21d63 Version: 0c71437dd50dd687c15d8ca80b3b68f10bb21d63 Version: 5e1fc537c1be332aef9621ca9146aeb3ba59522f |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6950df42a03c9ac9290503ced3f371199cb68fa9",
"status": "affected",
"version": "7eef18c0479ba5d9f54fba30cd77c233ebca3eb1",
"versionType": "git"
},
{
"lessThan": "b6d44072117bba057d50f7a2f96e5d070c65926d",
"status": "affected",
"version": "55dd22c5d029423f513fd849e633adf0e9c10d0c",
"versionType": "git"
},
{
"lessThan": "9ab896775f98ff54b68512f345eed178bf961084",
"status": "affected",
"version": "0c71437dd50dd687c15d8ca80b3b68f10bb21d63",
"versionType": "git"
},
{
"lessThan": "1740a1e45eee65099a92fb502e1e67e63aad277d",
"status": "affected",
"version": "0c71437dd50dd687c15d8ca80b3b68f10bb21d63",
"versionType": "git"
},
{
"lessThan": "d0553680f94c49bbe0e39eb50d033ba563b4212d",
"status": "affected",
"version": "0c71437dd50dd687c15d8ca80b3b68f10bb21d63",
"versionType": "git"
},
{
"status": "affected",
"version": "5e1fc537c1be332aef9621ca9146aeb3ba59522f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/j1939/transport.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "5.4.138",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.10.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate\n\nThe conclusion \"j1939_session_deactivate() should be called with a\nsession ref-count of at least 2\" is incorrect. In some concurrent\nscenarios, j1939_session_deactivate can be called with the session\nref-count less than 2. But there is not any problem because it\nwill check the session active state before session putting in\nj1939_session_deactivate_locked().\n\nHere is the concurrent scenario of the problem reported by syzbot\nand my reproduction log.\n\n cpu0 cpu1\n j1939_xtp_rx_eoma\nj1939_xtp_rx_abort_one\n j1939_session_get_by_addr [kref == 2]\nj1939_session_get_by_addr [kref == 3]\nj1939_session_deactivate [kref == 2]\nj1939_session_put [kref == 1]\n\t\t\t\tj1939_session_completed\n\t\t\t\tj1939_session_deactivate\n\t\t\t\tWARN_ON_ONCE(kref \u003c 2)\n\n=====================================================\nWARNING: CPU: 1 PID: 21 at net/can/j1939/transport.c:1088 j1939_session_deactivate+0x5f/0x70\nCPU: 1 PID: 21 Comm: ksoftirqd/1 Not tainted 5.14.0-rc7+ #32\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014\nRIP: 0010:j1939_session_deactivate+0x5f/0x70\nCall Trace:\n j1939_session_deactivate_activate_next+0x11/0x28\n j1939_xtp_rx_eoma+0x12a/0x180\n j1939_tp_recv+0x4a2/0x510\n j1939_can_recv+0x226/0x380\n can_rcv_filter+0xf8/0x220\n can_receive+0x102/0x220\n ? process_backlog+0xf0/0x2c0\n can_rcv+0x53/0xf0\n __netif_receive_skb_one_core+0x67/0x90\n ? process_backlog+0x97/0x2c0\n __netif_receive_skb+0x22/0x80"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:40:33.467Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6950df42a03c9ac9290503ced3f371199cb68fa9"
},
{
"url": "https://git.kernel.org/stable/c/b6d44072117bba057d50f7a2f96e5d070c65926d"
},
{
"url": "https://git.kernel.org/stable/c/9ab896775f98ff54b68512f345eed178bf961084"
},
{
"url": "https://git.kernel.org/stable/c/1740a1e45eee65099a92fb502e1e67e63aad277d"
},
{
"url": "https://git.kernel.org/stable/c/d0553680f94c49bbe0e39eb50d033ba563b4212d"
}
],
"title": "can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2021-4454",
"datePublished": "2025-03-27T16:37:09.381Z",
"dateReserved": "2025-02-26T02:29:43.631Z",
"dateUpdated": "2025-05-04T12:40:33.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53012 (GCVE-0-2023-53012)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
thermal: core: call put_device() only after device_register() fails
put_device() shouldn't be called before a prior call to
device_register(). __thermal_cooling_device_register() doesn't follow
that properly and needs fixing. Also
thermal_cooling_device_destroy_sysfs() is getting called unnecessarily
on few error paths.
Fix all this by placing the calls at the right place.
Based on initial work done by Caleb Connolly.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 108a6f91e2766a6d9142b1f2d90c07ac547eae7e Version: 80bb3b901abe6560620505e5c734d140c4f73a07 Version: c408b3d1d9bbc7de5fb0304fea424ef2539da616 Version: 5139cbc0c6e4bf2fcffc9a7ed4350bf6985bc561 Version: c4c435d3637b5d0abaa6447c7366c3674364968a Version: e0d8b51bbe84d6a98c162e06344de2d773d9e722 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a7d736cc3c6cb0d7498bbfb56515d414e35e9510",
"status": "affected",
"version": "108a6f91e2766a6d9142b1f2d90c07ac547eae7e",
"versionType": "git"
},
{
"lessThan": "2846a7412f6246fd5171f51011bf76dfebcec0ee",
"status": "affected",
"version": "80bb3b901abe6560620505e5c734d140c4f73a07",
"versionType": "git"
},
{
"lessThan": "6c54b7bc8a31ce0f7cc7f8deef05067df414f1d8",
"status": "affected",
"version": "c408b3d1d9bbc7de5fb0304fea424ef2539da616",
"versionType": "git"
},
{
"status": "affected",
"version": "5139cbc0c6e4bf2fcffc9a7ed4350bf6985bc561",
"versionType": "git"
},
{
"status": "affected",
"version": "c4c435d3637b5d0abaa6447c7366c3674364968a",
"versionType": "git"
},
{
"status": "affected",
"version": "e0d8b51bbe84d6a98c162e06344de2d773d9e722",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/thermal/thermal_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux"
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal: core: call put_device() only after device_register() fails\n\nput_device() shouldn\u0027t be called before a prior call to\ndevice_register(). __thermal_cooling_device_register() doesn\u0027t follow\nthat properly and needs fixing. Also\nthermal_cooling_device_destroy_sysfs() is getting called unnecessarily\non few error paths.\n\nFix all this by placing the calls at the right place.\n\nBased on initial work done by Caleb Connolly."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:04.932Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a7d736cc3c6cb0d7498bbfb56515d414e35e9510"
},
{
"url": "https://git.kernel.org/stable/c/2846a7412f6246fd5171f51011bf76dfebcec0ee"
},
{
"url": "https://git.kernel.org/stable/c/6c54b7bc8a31ce0f7cc7f8deef05067df414f1d8"
}
],
"title": "thermal: core: call put_device() only after device_register() fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53012",
"datePublished": "2025-03-27T16:43:41.693Z",
"dateReserved": "2025-03-27T16:40:15.749Z",
"dateUpdated": "2025-05-04T12:50:04.932Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53023 (GCVE-0-2023-53023)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: Fix use-after-free in local_cleanup()
Fix a use-after-free that occurs in kfree_skb() called from
local_cleanup(). This could happen when killing nfc daemon (e.g. neard)
after detaching an nfc device.
When detaching an nfc device, local_cleanup() called from
nfc_llcp_unregister_device() frees local->rx_pending and decreases
local->ref by kref_put() in nfc_llcp_local_put().
In the terminating process, nfc daemon releases all sockets and it leads
to decreasing local->ref. After the last release of local->ref,
local_cleanup() called from local_release() frees local->rx_pending
again, which leads to the bug.
Setting local->rx_pending to NULL in local_cleanup() could prevent
use-after-free when local_cleanup() is called twice.
Found by a modified version of syzkaller.
BUG: KASAN: use-after-free in kfree_skb()
Call Trace:
dump_stack_lvl (lib/dump_stack.c:106)
print_address_description.constprop.0.cold (mm/kasan/report.c:306)
kasan_check_range (mm/kasan/generic.c:189)
kfree_skb (net/core/skbuff.c:955)
local_cleanup (net/nfc/llcp_core.c:159)
nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)
nfc_llcp_local_put (net/nfc/llcp_core.c:181)
llcp_sock_destruct (net/nfc/llcp_sock.c:959)
__sk_destruct (net/core/sock.c:2133)
sk_destruct (net/core/sock.c:2181)
__sk_free (net/core/sock.c:2192)
sk_free (net/core/sock.c:2203)
llcp_sock_release (net/nfc/llcp_sock.c:646)
__sock_release (net/socket.c:650)
sock_close (net/socket.c:1365)
__fput (fs/file_table.c:306)
task_work_run (kernel/task_work.c:179)
ptrace_notify (kernel/signal.c:2354)
syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)
syscall_exit_to_user_mode (kernel/entry/common.c:296)
do_syscall_64 (arch/x86/entry/common.c:86)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)
Allocated by task 4719:
kasan_save_stack (mm/kasan/common.c:45)
__kasan_slab_alloc (mm/kasan/common.c:325)
slab_post_alloc_hook (mm/slab.h:766)
kmem_cache_alloc_node (mm/slub.c:3497)
__alloc_skb (net/core/skbuff.c:552)
pn533_recv_response (drivers/nfc/pn533/usb.c:65)
__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)
usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)
tasklet_action_common.isra.0 (kernel/softirq.c:797)
__do_softirq (kernel/softirq.c:571)
Freed by task 1901:
kasan_save_stack (mm/kasan/common.c:45)
kasan_set_track (mm/kasan/common.c:52)
kasan_save_free_info (mm/kasan/genericdd.c:518)
__kasan_slab_free (mm/kasan/common.c:236)
kmem_cache_free (mm/slub.c:3809)
kfree_skbmem (net/core/skbuff.c:874)
kfree_skb (net/core/skbuff.c:931)
local_cleanup (net/nfc/llcp_core.c:159)
nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)
nfc_unregister_device (net/nfc/core.c:1179)
pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)
pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)
usb_unbind_interface (drivers/usb/core/driver.c:458)
device_release_driver_internal (drivers/base/dd.c:1279)
bus_remove_device (drivers/base/bus.c:529)
device_del (drivers/base/core.c:3665)
usb_disable_device (drivers/usb/core/message.c:1420)
usb_disconnect (drivers/usb/core.c:2261)
hub_event (drivers/usb/core/hub.c:5833)
process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)
worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)
kthread (kernel/kthread.c:319)
ret_from_fork (arch/x86/entry/entry_64.S:301)
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff Version: 3536da06db0baa675f32de608c0a4c0f5ef0e9ff |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T17:01:08.115465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:23.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b09ae26f08aaf2d85f96ea7f90ddd3387f62216f",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "54f7be61584b8ec4c6df405f479495b9397bae4a",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "a59cdbda3714e11aa3ab579132864c4c8c6d54f9",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "ad1baab3a5c03692d22ce446f38596a126377f6a",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "7f129927feaf7c10b1c38bbce630172e9a08c834",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "d3605282ec3502ec8847915eb2cf1f340493ff79",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
},
{
"lessThan": "4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6",
"status": "affected",
"version": "3536da06db0baa675f32de608c0a4c0f5ef0e9ff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/nfc/llcp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.9"
},
{
"lessThan": "3.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "3.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: Fix use-after-free in local_cleanup()\n\nFix a use-after-free that occurs in kfree_skb() called from\nlocal_cleanup(). This could happen when killing nfc daemon (e.g. neard)\nafter detaching an nfc device.\nWhen detaching an nfc device, local_cleanup() called from\nnfc_llcp_unregister_device() frees local-\u003erx_pending and decreases\nlocal-\u003eref by kref_put() in nfc_llcp_local_put().\nIn the terminating process, nfc daemon releases all sockets and it leads\nto decreasing local-\u003eref. After the last release of local-\u003eref,\nlocal_cleanup() called from local_release() frees local-\u003erx_pending\nagain, which leads to the bug.\n\nSetting local-\u003erx_pending to NULL in local_cleanup() could prevent\nuse-after-free when local_cleanup() is called twice.\n\nFound by a modified version of syzkaller.\n\nBUG: KASAN: use-after-free in kfree_skb()\n\nCall Trace:\ndump_stack_lvl (lib/dump_stack.c:106)\nprint_address_description.constprop.0.cold (mm/kasan/report.c:306)\nkasan_check_range (mm/kasan/generic.c:189)\nkfree_skb (net/core/skbuff.c:955)\nlocal_cleanup (net/nfc/llcp_core.c:159)\nnfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)\nnfc_llcp_local_put (net/nfc/llcp_core.c:181)\nllcp_sock_destruct (net/nfc/llcp_sock.c:959)\n__sk_destruct (net/core/sock.c:2133)\nsk_destruct (net/core/sock.c:2181)\n__sk_free (net/core/sock.c:2192)\nsk_free (net/core/sock.c:2203)\nllcp_sock_release (net/nfc/llcp_sock.c:646)\n__sock_release (net/socket.c:650)\nsock_close (net/socket.c:1365)\n__fput (fs/file_table.c:306)\ntask_work_run (kernel/task_work.c:179)\nptrace_notify (kernel/signal.c:2354)\nsyscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)\nsyscall_exit_to_user_mode (kernel/entry/common.c:296)\ndo_syscall_64 (arch/x86/entry/common.c:86)\nentry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)\n\nAllocated by task 4719:\nkasan_save_stack (mm/kasan/common.c:45)\n__kasan_slab_alloc (mm/kasan/common.c:325)\nslab_post_alloc_hook (mm/slab.h:766)\nkmem_cache_alloc_node (mm/slub.c:3497)\n__alloc_skb (net/core/skbuff.c:552)\npn533_recv_response (drivers/nfc/pn533/usb.c:65)\n__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)\nusb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)\ntasklet_action_common.isra.0 (kernel/softirq.c:797)\n__do_softirq (kernel/softirq.c:571)\n\nFreed by task 1901:\nkasan_save_stack (mm/kasan/common.c:45)\nkasan_set_track (mm/kasan/common.c:52)\nkasan_save_free_info (mm/kasan/genericdd.c:518)\n__kasan_slab_free (mm/kasan/common.c:236)\nkmem_cache_free (mm/slub.c:3809)\nkfree_skbmem (net/core/skbuff.c:874)\nkfree_skb (net/core/skbuff.c:931)\nlocal_cleanup (net/nfc/llcp_core.c:159)\nnfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)\nnfc_unregister_device (net/nfc/core.c:1179)\npn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)\npn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)\nusb_unbind_interface (drivers/usb/core/driver.c:458)\ndevice_release_driver_internal (drivers/base/dd.c:1279)\nbus_remove_device (drivers/base/bus.c:529)\ndevice_del (drivers/base/core.c:3665)\nusb_disable_device (drivers/usb/core/message.c:1420)\nusb_disconnect (drivers/usb/core.c:2261)\nhub_event (drivers/usb/core/hub.c:5833)\nprocess_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)\nworker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)\nkthread (kernel/kthread.c:319)\nret_from_fork (arch/x86/entry/entry_64.S:301)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:53.637Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b09ae26f08aaf2d85f96ea7f90ddd3387f62216f"
},
{
"url": "https://git.kernel.org/stable/c/54f7be61584b8ec4c6df405f479495b9397bae4a"
},
{
"url": "https://git.kernel.org/stable/c/a59cdbda3714e11aa3ab579132864c4c8c6d54f9"
},
{
"url": "https://git.kernel.org/stable/c/ad1baab3a5c03692d22ce446f38596a126377f6a"
},
{
"url": "https://git.kernel.org/stable/c/7f129927feaf7c10b1c38bbce630172e9a08c834"
},
{
"url": "https://git.kernel.org/stable/c/d3605282ec3502ec8847915eb2cf1f340493ff79"
},
{
"url": "https://git.kernel.org/stable/c/4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6"
}
],
"title": "net: nfc: Fix use-after-free in local_cleanup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53023",
"datePublished": "2025-03-27T16:43:49.142Z",
"dateReserved": "2025-03-27T16:40:15.753Z",
"dateUpdated": "2025-05-04T07:47:53.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21874 (GCVE-0-2025-21874)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dm-integrity: Avoid divide by zero in table status in Inline mode
In Inline mode, the journal is unused, and journal_sectors is zero.
Calculating the journal watermark requires dividing by journal_sectors,
which should be done only if the journal is configured.
Otherwise, a simple table query (dmsetup table) can cause OOPS.
This bug did not show on some systems, perhaps only due to
compiler optimization.
On my 32-bit testing machine, this reliably crashes with the following:
: Oops: divide error: 0000 [#1] PREEMPT SMP
: CPU: 0 UID: 0 PID: 2450 Comm: dmsetup Not tainted 6.14.0-rc2+ #959
: EIP: dm_integrity_status+0x2f8/0xab0 [dm_integrity]
...
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "22c6f577b3cb184857b440ae5e5916f6c9e7021d",
"status": "affected",
"version": "fb0987682c629c1d2c476f35f6fde405a5e304a4",
"versionType": "git"
},
{
"lessThan": "06d9895f265282e939a8933bb18de82eba2b4dda",
"status": "affected",
"version": "fb0987682c629c1d2c476f35f6fde405a5e304a4",
"versionType": "git"
},
{
"lessThan": "7fb39882b20c98a9a393c244c86b56ef6933cff8",
"status": "affected",
"version": "fb0987682c629c1d2c476f35f6fde405a5e304a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/md/dm-integrity.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-integrity: Avoid divide by zero in table status in Inline mode\n\nIn Inline mode, the journal is unused, and journal_sectors is zero.\n\nCalculating the journal watermark requires dividing by journal_sectors,\nwhich should be done only if the journal is configured.\n\nOtherwise, a simple table query (dmsetup table) can cause OOPS.\n\nThis bug did not show on some systems, perhaps only due to\ncompiler optimization.\n\nOn my 32-bit testing machine, this reliably crashes with the following:\n\n : Oops: divide error: 0000 [#1] PREEMPT SMP\n : CPU: 0 UID: 0 PID: 2450 Comm: dmsetup Not tainted 6.14.0-rc2+ #959\n : EIP: dm_integrity_status+0x2f8/0xab0 [dm_integrity]\n ..."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:59.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/22c6f577b3cb184857b440ae5e5916f6c9e7021d"
},
{
"url": "https://git.kernel.org/stable/c/06d9895f265282e939a8933bb18de82eba2b4dda"
},
{
"url": "https://git.kernel.org/stable/c/7fb39882b20c98a9a393c244c86b56ef6933cff8"
}
],
"title": "dm-integrity: Avoid divide by zero in table status in Inline mode",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21874",
"datePublished": "2025-03-27T14:57:05.496Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:22:59.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53029 (GCVE-0-2023-53029)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt
The commit 4af1b64f80fb ("octeontx2-pf: Fix lmtst ID used in aura
free") uses the get/put_cpu() to protect the usage of percpu pointer
in ->aura_freeptr() callback, but it also unnecessarily disable the
preemption for the blockable memory allocation. The commit 87b93b678e95
("octeontx2-pf: Avoid use of GFP_KERNEL in atomic context") tried to
fix these sleep inside atomic warnings. But it only fix the one for
the non-rt kernel. For the rt kernel, we still get the similar warnings
like below.
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by swapper/0/1:
#0: ffff800009fc5fe8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock+0x24/0x30
#1: ffff000100c276c0 (&mbox->lock){+.+.}-{3:3}, at: otx2_init_hw_resources+0x8c/0x3a4
#2: ffffffbfef6537e0 (&cpu_rcache->lock){+.+.}-{2:2}, at: alloc_iova_fast+0x1ac/0x2ac
Preemption disabled at:
[<ffff800008b1908c>] otx2_rq_aura_pool_init+0x14c/0x284
CPU: 20 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc3-rt1-yocto-preempt-rt #1
Hardware name: Marvell OcteonTX CN96XX board (DT)
Call trace:
dump_backtrace.part.0+0xe8/0xf4
show_stack+0x20/0x30
dump_stack_lvl+0x9c/0xd8
dump_stack+0x18/0x34
__might_resched+0x188/0x224
rt_spin_lock+0x64/0x110
alloc_iova_fast+0x1ac/0x2ac
iommu_dma_alloc_iova+0xd4/0x110
__iommu_dma_map+0x80/0x144
iommu_dma_map_page+0xe8/0x260
dma_map_page_attrs+0xb4/0xc0
__otx2_alloc_rbuf+0x90/0x150
otx2_rq_aura_pool_init+0x1c8/0x284
otx2_init_hw_resources+0xe4/0x3a4
otx2_open+0xf0/0x610
__dev_open+0x104/0x224
__dev_change_flags+0x1e4/0x274
dev_change_flags+0x2c/0x7c
ic_open_devs+0x124/0x2f8
ip_auto_config+0x180/0x42c
do_one_initcall+0x90/0x4dc
do_basic_setup+0x10c/0x14c
kernel_init_freeable+0x10c/0x13c
kernel_init+0x2c/0x140
ret_from_fork+0x10/0x20
Of course, we can shuffle the get/put_cpu() to only wrap the invocation
of ->aura_freeptr() as what commit 87b93b678e95 does. But there are only
two ->aura_freeptr() callbacks, otx2_aura_freeptr() and
cn10k_aura_freeptr(). There is no usage of perpcu variable in the
otx2_aura_freeptr() at all, so the get/put_cpu() seems redundant to it.
We can move the get/put_cpu() into the corresponding callback which
really has the percpu variable usage and avoid the sprinkling of
get/put_cpu() in several places.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c",
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29e9c67bf3271067735c188e95cf3631ecd64d58",
"status": "affected",
"version": "6ea5273c71dd2d07c0a2459594eb34bc087939f7",
"versionType": "git"
},
{
"lessThan": "659518e013d6bd562bb0f1d2d9f99d0ac54720e2",
"status": "affected",
"version": "667ce030bdfb62a86266444b2c3fd6ab98b9df9b",
"versionType": "git"
},
{
"lessThan": "55ba18dc62deff5910c0fa64486dea1ff20832ff",
"status": "affected",
"version": "4af1b64f80fbe1275fb02c5f1c0cef099a4a231f",
"versionType": "git"
},
{
"status": "affected",
"version": "b754dc7c933dd9464223f64b10d33d68ab086cc6",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c",
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.91",
"status": "affected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThan": "6.1.8",
"status": "affected",
"version": "6.1.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.8",
"versionStartIncluding": "6.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt\n\nThe commit 4af1b64f80fb (\"octeontx2-pf: Fix lmtst ID used in aura\nfree\") uses the get/put_cpu() to protect the usage of percpu pointer\nin -\u003eaura_freeptr() callback, but it also unnecessarily disable the\npreemption for the blockable memory allocation. The commit 87b93b678e95\n(\"octeontx2-pf: Avoid use of GFP_KERNEL in atomic context\") tried to\nfix these sleep inside atomic warnings. But it only fix the one for\nthe non-rt kernel. For the rt kernel, we still get the similar warnings\nlike below.\n BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46\n in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0\n preempt_count: 1, expected: 0\n RCU nest depth: 0, expected: 0\n 3 locks held by swapper/0/1:\n #0: ffff800009fc5fe8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock+0x24/0x30\n #1: ffff000100c276c0 (\u0026mbox-\u003elock){+.+.}-{3:3}, at: otx2_init_hw_resources+0x8c/0x3a4\n #2: ffffffbfef6537e0 (\u0026cpu_rcache-\u003elock){+.+.}-{2:2}, at: alloc_iova_fast+0x1ac/0x2ac\n Preemption disabled at:\n [\u003cffff800008b1908c\u003e] otx2_rq_aura_pool_init+0x14c/0x284\n CPU: 20 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc3-rt1-yocto-preempt-rt #1\n Hardware name: Marvell OcteonTX CN96XX board (DT)\n Call trace:\n dump_backtrace.part.0+0xe8/0xf4\n show_stack+0x20/0x30\n dump_stack_lvl+0x9c/0xd8\n dump_stack+0x18/0x34\n __might_resched+0x188/0x224\n rt_spin_lock+0x64/0x110\n alloc_iova_fast+0x1ac/0x2ac\n iommu_dma_alloc_iova+0xd4/0x110\n __iommu_dma_map+0x80/0x144\n iommu_dma_map_page+0xe8/0x260\n dma_map_page_attrs+0xb4/0xc0\n __otx2_alloc_rbuf+0x90/0x150\n otx2_rq_aura_pool_init+0x1c8/0x284\n otx2_init_hw_resources+0xe4/0x3a4\n otx2_open+0xf0/0x610\n __dev_open+0x104/0x224\n __dev_change_flags+0x1e4/0x274\n dev_change_flags+0x2c/0x7c\n ic_open_devs+0x124/0x2f8\n ip_auto_config+0x180/0x42c\n do_one_initcall+0x90/0x4dc\n do_basic_setup+0x10c/0x14c\n kernel_init_freeable+0x10c/0x13c\n kernel_init+0x2c/0x140\n ret_from_fork+0x10/0x20\n\nOf course, we can shuffle the get/put_cpu() to only wrap the invocation\nof -\u003eaura_freeptr() as what commit 87b93b678e95 does. But there are only\ntwo -\u003eaura_freeptr() callbacks, otx2_aura_freeptr() and\ncn10k_aura_freeptr(). There is no usage of perpcu variable in the\notx2_aura_freeptr() at all, so the get/put_cpu() seems redundant to it.\nWe can move the get/put_cpu() into the corresponding callback which\nreally has the percpu variable usage and avoid the sprinkling of\nget/put_cpu() in several places."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:09.012Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29e9c67bf3271067735c188e95cf3631ecd64d58"
},
{
"url": "https://git.kernel.org/stable/c/659518e013d6bd562bb0f1d2d9f99d0ac54720e2"
},
{
"url": "https://git.kernel.org/stable/c/55ba18dc62deff5910c0fa64486dea1ff20832ff"
}
],
"title": "octeontx2-pf: Fix the use of GFP_KERNEL in atomic context on rt",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53029",
"datePublished": "2025-03-27T16:43:58.234Z",
"dateReserved": "2025-03-27T16:40:15.757Z",
"dateUpdated": "2025-05-04T12:50:09.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49738 (GCVE-0-2022-49738)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on i_extra_isize in is_alive()
syzbot found a f2fs bug:
BUG: KASAN: slab-out-of-bounds in data_blkaddr fs/f2fs/f2fs.h:2891 [inline]
BUG: KASAN: slab-out-of-bounds in is_alive fs/f2fs/gc.c:1117 [inline]
BUG: KASAN: slab-out-of-bounds in gc_data_segment fs/f2fs/gc.c:1520 [inline]
BUG: KASAN: slab-out-of-bounds in do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734
Read of size 4 at addr ffff888076557568 by task kworker/u4:3/52
CPU: 1 PID: 52 Comm: kworker/u4:3 Not tainted 6.1.0-rc4-syzkaller-00362-gfef7fd48922d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbb/0x1f0 mm/kasan/report.c:495
data_blkaddr fs/f2fs/f2fs.h:2891 [inline]
is_alive fs/f2fs/gc.c:1117 [inline]
gc_data_segment fs/f2fs/gc.c:1520 [inline]
do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734
f2fs_gc+0x88c/0x20a0 fs/f2fs/gc.c:1831
f2fs_balance_fs+0x544/0x6b0 fs/f2fs/segment.c:410
f2fs_write_inode+0x57e/0xe20 fs/f2fs/inode.c:753
write_inode fs/fs-writeback.c:1440 [inline]
__writeback_single_inode+0xcfc/0x1440 fs/fs-writeback.c:1652
writeback_sb_inodes+0x54d/0xf90 fs/fs-writeback.c:1870
wb_writeback+0x2c5/0xd70 fs/fs-writeback.c:2044
wb_do_writeback fs/fs-writeback.c:2187 [inline]
wb_workfn+0x2dc/0x12f0 fs/fs-writeback.c:2227
process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e4/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
The root cause is that we forgot to do sanity check on .i_extra_isize
in below path, result in accessing invalid address later, fix it.
- gc_data_segment
- is_alive
- data_blkaddr
- offset_in_addr
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/gc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e5142a4935c1f15841d06047b8130078fc4d7b8f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "914e38f02a490dafd980ff0f39cccedc074deb29",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "97ccfffcc061e54ce87e4a51a40e2e9cb0b7076a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5b25035fb888cb2f78bf0b9c9f95b1dc54480d36",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d3b7b4afd6b2c344eabf9cc26b8bfa903c164c7c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/gc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_extra_isize in is_alive()\n\nsyzbot found a f2fs bug:\n\nBUG: KASAN: slab-out-of-bounds in data_blkaddr fs/f2fs/f2fs.h:2891 [inline]\nBUG: KASAN: slab-out-of-bounds in is_alive fs/f2fs/gc.c:1117 [inline]\nBUG: KASAN: slab-out-of-bounds in gc_data_segment fs/f2fs/gc.c:1520 [inline]\nBUG: KASAN: slab-out-of-bounds in do_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734\nRead of size 4 at addr ffff888076557568 by task kworker/u4:3/52\n\nCPU: 1 PID: 52 Comm: kworker/u4:3 Not tainted 6.1.0-rc4-syzkaller-00362-gfef7fd48922d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nWorkqueue: writeback wb_workfn (flush-7:0)\nCall Trace:\n\u003cTASK\u003e\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:284 [inline]\nprint_report+0x15e/0x45d mm/kasan/report.c:395\nkasan_report+0xbb/0x1f0 mm/kasan/report.c:495\ndata_blkaddr fs/f2fs/f2fs.h:2891 [inline]\nis_alive fs/f2fs/gc.c:1117 [inline]\ngc_data_segment fs/f2fs/gc.c:1520 [inline]\ndo_garbage_collect+0x386a/0x3df0 fs/f2fs/gc.c:1734\nf2fs_gc+0x88c/0x20a0 fs/f2fs/gc.c:1831\nf2fs_balance_fs+0x544/0x6b0 fs/f2fs/segment.c:410\nf2fs_write_inode+0x57e/0xe20 fs/f2fs/inode.c:753\nwrite_inode fs/fs-writeback.c:1440 [inline]\n__writeback_single_inode+0xcfc/0x1440 fs/fs-writeback.c:1652\nwriteback_sb_inodes+0x54d/0xf90 fs/fs-writeback.c:1870\nwb_writeback+0x2c5/0xd70 fs/fs-writeback.c:2044\nwb_do_writeback fs/fs-writeback.c:2187 [inline]\nwb_workfn+0x2dc/0x12f0 fs/fs-writeback.c:2227\nprocess_one_work+0x9bf/0x1710 kernel/workqueue.c:2289\nworker_thread+0x665/0x1080 kernel/workqueue.c:2436\nkthread+0x2e4/0x3a0 kernel/kthread.c:376\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n\nThe root cause is that we forgot to do sanity check on .i_extra_isize\nin below path, result in accessing invalid address later, fix it.\n- gc_data_segment\n - is_alive\n - data_blkaddr\n - offset_in_addr"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:19.637Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e5142a4935c1f15841d06047b8130078fc4d7b8f"
},
{
"url": "https://git.kernel.org/stable/c/914e38f02a490dafd980ff0f39cccedc074deb29"
},
{
"url": "https://git.kernel.org/stable/c/97ccfffcc061e54ce87e4a51a40e2e9cb0b7076a"
},
{
"url": "https://git.kernel.org/stable/c/5b25035fb888cb2f78bf0b9c9f95b1dc54480d36"
},
{
"url": "https://git.kernel.org/stable/c/d3b7b4afd6b2c344eabf9cc26b8bfa903c164c7c"
}
],
"title": "f2fs: fix to do sanity check on i_extra_isize in is_alive()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49738",
"datePublished": "2025-03-27T16:42:50.951Z",
"dateReserved": "2025-03-27T16:39:17.986Z",
"dateUpdated": "2025-05-04T08:44:19.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49758 (GCVE-0-2022-49758)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
reset: uniphier-glue: Fix possible null-ptr-deref
It will cause null-ptr-deref when resource_size(res) invoked,
if platform_get_resource() returns NULL.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/reset/reset-uniphier-glue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "95de286200b2a046da01c4aeba02ae9220d68ca4",
"status": "affected",
"version": "499fef09a3237497906084da3eede0185fc9abb8",
"versionType": "git"
},
{
"lessThan": "633bad3dc81ce2aa561f704ec091e49eb647bd0b",
"status": "affected",
"version": "499fef09a3237497906084da3eede0185fc9abb8",
"versionType": "git"
},
{
"lessThan": "3a2390c6777e3f6662980c6cfc25cafe9e4fef98",
"status": "affected",
"version": "499fef09a3237497906084da3eede0185fc9abb8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/reset/reset-uniphier-glue.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nreset: uniphier-glue: Fix possible null-ptr-deref\n\nIt will cause null-ptr-deref when resource_size(res) invoked,\nif platform_get_resource() returns NULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:46.025Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/95de286200b2a046da01c4aeba02ae9220d68ca4"
},
{
"url": "https://git.kernel.org/stable/c/633bad3dc81ce2aa561f704ec091e49eb647bd0b"
},
{
"url": "https://git.kernel.org/stable/c/3a2390c6777e3f6662980c6cfc25cafe9e4fef98"
}
],
"title": "reset: uniphier-glue: Fix possible null-ptr-deref",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49758",
"datePublished": "2025-03-27T16:43:05.465Z",
"dateReserved": "2025-03-27T16:39:17.989Z",
"dateUpdated": "2025-05-04T08:44:46.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21872 (GCVE-0-2025-21872)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-10 16:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
efi: Don't map the entire mokvar table to determine its size
Currently, when validating the mokvar table, we (re)map the entire table
on each iteration of the loop, adding space as we discover new entries.
If the table grows over a certain size, this fails due to limitations of
early_memmap(), and we get a failure and traceback:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220
...
Call Trace:
<TASK>
? __early_ioremap+0xef/0x220
? __warn.cold+0x93/0xfa
? __early_ioremap+0xef/0x220
? report_bug+0xff/0x140
? early_fixup_exception+0x5d/0xb0
? early_idt_handler_common+0x2f/0x3a
? __early_ioremap+0xef/0x220
? efi_mokvar_table_init+0xce/0x1d0
? setup_arch+0x864/0xc10
? start_kernel+0x6b/0xa10
? x86_64_start_reservations+0x24/0x30
? x86_64_start_kernel+0xed/0xf0
? common_startup_64+0x13e/0x141
</TASK>
---[ end trace 0000000000000000 ]---
mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187.
Mapping the entire structure isn't actually necessary, as we don't ever
need more than one entry header mapped at once.
Changes efi_mokvar_table_init() to only map each entry header, not the
entire table, when determining the table size. Since we're not mapping
any data past the variable name, it also changes the code to enforce
that each variable name is NUL terminated, rather than attempting to
verify it in place.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 Version: 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 Version: 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 Version: 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 Version: 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/mokvar-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "46c0454ffb78ce9d3355a3cccac86383ea8ddd55",
"status": "affected",
"version": "58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5",
"versionType": "git"
},
{
"lessThan": "ea3f0b362dfe4ef885ef812bfaf4088176422c91",
"status": "affected",
"version": "58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5",
"versionType": "git"
},
{
"lessThan": "65f4aebb8127708ba668dd938e83b8558abfc5cd",
"status": "affected",
"version": "58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5",
"versionType": "git"
},
{
"lessThan": "97bd560b6cc4c26386a53b4881bf03e96f9ba03a",
"status": "affected",
"version": "58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5",
"versionType": "git"
},
{
"lessThan": "2b90e7ace79774a3540ce569e000388f8d22c9e0",
"status": "affected",
"version": "58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/mokvar-table.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.83",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: Don\u0027t map the entire mokvar table to determine its size\n\nCurrently, when validating the mokvar table, we (re)map the entire table\non each iteration of the loop, adding space as we discover new entries.\nIf the table grows over a certain size, this fails due to limitations of\nearly_memmap(), and we get a failure and traceback:\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220\n ...\n Call Trace:\n \u003cTASK\u003e\n ? __early_ioremap+0xef/0x220\n ? __warn.cold+0x93/0xfa\n ? __early_ioremap+0xef/0x220\n ? report_bug+0xff/0x140\n ? early_fixup_exception+0x5d/0xb0\n ? early_idt_handler_common+0x2f/0x3a\n ? __early_ioremap+0xef/0x220\n ? efi_mokvar_table_init+0xce/0x1d0\n ? setup_arch+0x864/0xc10\n ? start_kernel+0x6b/0xa10\n ? x86_64_start_reservations+0x24/0x30\n ? x86_64_start_kernel+0xed/0xf0\n ? common_startup_64+0x13e/0x141\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187.\n\nMapping the entire structure isn\u0027t actually necessary, as we don\u0027t ever\nneed more than one entry header mapped at once.\n\nChanges efi_mokvar_table_init() to only map each entry header, not the\nentire table, when determining the table size. Since we\u0027re not mapping\nany data past the variable name, it also changes the code to enforce\nthat each variable name is NUL terminated, rather than attempting to\nverify it in place."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-10T16:48:44.937Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/46c0454ffb78ce9d3355a3cccac86383ea8ddd55"
},
{
"url": "https://git.kernel.org/stable/c/ea3f0b362dfe4ef885ef812bfaf4088176422c91"
},
{
"url": "https://git.kernel.org/stable/c/65f4aebb8127708ba668dd938e83b8558abfc5cd"
},
{
"url": "https://git.kernel.org/stable/c/97bd560b6cc4c26386a53b4881bf03e96f9ba03a"
},
{
"url": "https://git.kernel.org/stable/c/2b90e7ace79774a3540ce569e000388f8d22c9e0"
}
],
"title": "efi: Don\u0027t map the entire mokvar table to determine its size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21872",
"datePublished": "2025-03-27T14:57:04.206Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-10T16:48:44.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49751 (GCVE-0-2022-49751)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
w1: fix WARNING after calling w1_process()
I got the following WARNING message while removing driver(ds2482):
------------[ cut here ]------------
do not call blocking ops when !TASK_RUNNING; state=1 set at [<000000002d50bfb6>] w1_process+0x9e/0x1d0 [wire]
WARNING: CPU: 0 PID: 262 at kernel/sched/core.c:9817 __might_sleep+0x98/0xa0
CPU: 0 PID: 262 Comm: w1_bus_master1 Tainted: G N 6.1.0-rc3+ #307
RIP: 0010:__might_sleep+0x98/0xa0
Call Trace:
exit_signals+0x6c/0x550
do_exit+0x2b4/0x17e0
kthread_exit+0x52/0x60
kthread+0x16d/0x1e0
ret_from_fork+0x1f/0x30
The state of task is set to TASK_INTERRUPTIBLE in loop in w1_process(),
set it to TASK_RUNNING when it breaks out of the loop to avoid the
warning.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e Version: 3c52e4e627896b42152cc6ff98216c302932227e |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/w1/w1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "190b5c3bbd5df685bb1063bda048831d72b8f1d4",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "bccd6df4c177b1ad766f16565ccc298653d027d0",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "276052159ba94d4d9f5b453fb4707d6798c6b845",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "216f35db6ec6a667cd9db4838d657c1d2f4684da",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "89c62cee5d4d65ac75d99b5f986f7f94290e888f",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "cfc7462ff824ed6718ed0272ee9aae88e20d469a",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
},
{
"lessThan": "36225a7c72e9e3e1ce4001b6ce72849f5c9a2d3b",
"status": "affected",
"version": "3c52e4e627896b42152cc6ff98216c302932227e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/w1/w1.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.28"
},
{
"lessThan": "2.6.28",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "2.6.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nw1: fix WARNING after calling w1_process()\n\nI got the following WARNING message while removing driver(ds2482):\n\n------------[ cut here ]------------\ndo not call blocking ops when !TASK_RUNNING; state=1 set at [\u003c000000002d50bfb6\u003e] w1_process+0x9e/0x1d0 [wire]\nWARNING: CPU: 0 PID: 262 at kernel/sched/core.c:9817 __might_sleep+0x98/0xa0\nCPU: 0 PID: 262 Comm: w1_bus_master1 Tainted: G N 6.1.0-rc3+ #307\nRIP: 0010:__might_sleep+0x98/0xa0\nCall Trace:\n exit_signals+0x6c/0x550\n do_exit+0x2b4/0x17e0\n kthread_exit+0x52/0x60\n kthread+0x16d/0x1e0\n ret_from_fork+0x1f/0x30\n\nThe state of task is set to TASK_INTERRUPTIBLE in loop in w1_process(),\nset it to TASK_RUNNING when it breaks out of the loop to avoid the\nwarning."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:36.457Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/190b5c3bbd5df685bb1063bda048831d72b8f1d4"
},
{
"url": "https://git.kernel.org/stable/c/bccd6df4c177b1ad766f16565ccc298653d027d0"
},
{
"url": "https://git.kernel.org/stable/c/276052159ba94d4d9f5b453fb4707d6798c6b845"
},
{
"url": "https://git.kernel.org/stable/c/216f35db6ec6a667cd9db4838d657c1d2f4684da"
},
{
"url": "https://git.kernel.org/stable/c/89c62cee5d4d65ac75d99b5f986f7f94290e888f"
},
{
"url": "https://git.kernel.org/stable/c/cfc7462ff824ed6718ed0272ee9aae88e20d469a"
},
{
"url": "https://git.kernel.org/stable/c/36225a7c72e9e3e1ce4001b6ce72849f5c9a2d3b"
}
],
"title": "w1: fix WARNING after calling w1_process()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49751",
"datePublished": "2025-03-27T16:42:59.669Z",
"dateReserved": "2025-03-27T16:39:17.988Z",
"dateUpdated": "2025-05-04T08:44:36.457Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52975 (GCVE-0-2023-52975)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress
Bug report and analysis from Ding Hui.
During iSCSI session logout, if another task accesses the shost ipaddress
attr, we can get a KASAN UAF report like this:
[ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0
[ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088
[ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3
[ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[ 276.944470] Call Trace:
[ 276.944943] <TASK>
[ 276.945397] dump_stack_lvl+0x34/0x48
[ 276.945887] print_address_description.constprop.0+0x86/0x1e7
[ 276.946421] print_report+0x36/0x4f
[ 276.947358] kasan_report+0xad/0x130
[ 276.948234] kasan_check_range+0x35/0x1c0
[ 276.948674] _raw_spin_lock_bh+0x78/0xe0
[ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]
[ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]
[ 276.952185] dev_attr_show+0x3f/0x80
[ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0
[ 276.953401] seq_read_iter+0x402/0x1020
[ 276.954260] vfs_read+0x532/0x7b0
[ 276.955113] ksys_read+0xed/0x1c0
[ 276.955952] do_syscall_64+0x38/0x90
[ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 276.956769] RIP: 0033:0x7f5d3a679222
[ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24
[ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222
[ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003
[ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000
[ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000
[ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58
[ 276.960536] </TASK>
[ 276.961357] Allocated by task 2209:
[ 276.961756] kasan_save_stack+0x1e/0x40
[ 276.962170] kasan_set_track+0x21/0x30
[ 276.962557] __kasan_kmalloc+0x7e/0x90
[ 276.962923] __kmalloc+0x5b/0x140
[ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]
[ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi]
[ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]
[ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]
[ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]
[ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[ 276.965546] netlink_unicast+0x4d5/0x7b0
[ 276.965905] netlink_sendmsg+0x78d/0xc30
[ 276.966236] sock_sendmsg+0xe5/0x120
[ 276.966576] ____sys_sendmsg+0x5fe/0x860
[ 276.966923] ___sys_sendmsg+0xe0/0x170
[ 276.967300] __sys_sendmsg+0xc8/0x170
[ 276.967666] do_syscall_64+0x38/0x90
[ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 276.968773] Freed by task 2209:
[ 276.969111] kasan_save_stack+0x1e/0x40
[ 276.969449] kasan_set_track+0x21/0x30
[ 276.969789] kasan_save_free_info+0x2a/0x50
[ 276.970146] __kasan_slab_free+0x106/0x190
[ 276.970470] __kmem_cache_free+0x133/0x270
[ 276.970816] device_release+0x98/0x210
[ 276.971145] kobject_cleanup+0x101/0x360
[ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi]
[ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]
[ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]
[ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]
[ 276.972808] netlink_unicast+0x4d5/0x7b0
[ 276.973201] netlink_sendmsg+0x78d/0xc30
[ 276.973544] sock_sendmsg+0xe5/0x120
[ 276.973864] ____sys_sendmsg+0x5fe/0x860
[ 276.974248] ___sys_
---truncated---
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52975",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:59:46.852113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:22.400Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c",
"drivers/scsi/libiscsi.c",
"include/scsi/libiscsi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "17b738590b97fb3fc287289971d1519ff9b875a1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "8859687f5b242c0b057461df0a9ff51d5500783b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6f1d64b13097e85abda0f91b5638000afc5f9a06",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c",
"drivers/scsi/libiscsi.c",
"include/scsi/libiscsi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress\n\nBug report and analysis from Ding Hui.\n\nDuring iSCSI session logout, if another task accesses the shost ipaddress\nattr, we can get a KASAN UAF report like this:\n\n[ 276.942144] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x78/0xe0\n[ 276.942535] Write of size 4 at addr ffff8881053b45b8 by task cat/4088\n[ 276.943511] CPU: 2 PID: 4088 Comm: cat Tainted: G E 6.1.0-rc8+ #3\n[ 276.943997] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\n[ 276.944470] Call Trace:\n[ 276.944943] \u003cTASK\u003e\n[ 276.945397] dump_stack_lvl+0x34/0x48\n[ 276.945887] print_address_description.constprop.0+0x86/0x1e7\n[ 276.946421] print_report+0x36/0x4f\n[ 276.947358] kasan_report+0xad/0x130\n[ 276.948234] kasan_check_range+0x35/0x1c0\n[ 276.948674] _raw_spin_lock_bh+0x78/0xe0\n[ 276.949989] iscsi_sw_tcp_host_get_param+0xad/0x2e0 [iscsi_tcp]\n[ 276.951765] show_host_param_ISCSI_HOST_PARAM_IPADDRESS+0xe9/0x130 [scsi_transport_iscsi]\n[ 276.952185] dev_attr_show+0x3f/0x80\n[ 276.953005] sysfs_kf_seq_show+0x1fb/0x3e0\n[ 276.953401] seq_read_iter+0x402/0x1020\n[ 276.954260] vfs_read+0x532/0x7b0\n[ 276.955113] ksys_read+0xed/0x1c0\n[ 276.955952] do_syscall_64+0x38/0x90\n[ 276.956347] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 276.956769] RIP: 0033:0x7f5d3a679222\n[ 276.957161] Code: c0 e9 b2 fe ff ff 50 48 8d 3d 32 c0 0b 00 e8 a5 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 ec 28 48 89 54 24\n[ 276.958009] RSP: 002b:00007ffc864d16a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 276.958431] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5d3a679222\n[ 276.958857] RDX: 0000000000020000 RSI: 00007f5d3a4fe000 RDI: 0000000000000003\n[ 276.959281] RBP: 00007f5d3a4fe000 R08: 00000000ffffffff R09: 0000000000000000\n[ 276.959682] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000020000\n[ 276.960126] R13: 0000000000000003 R14: 0000000000000000 R15: 0000557a26dada58\n[ 276.960536] \u003c/TASK\u003e\n[ 276.961357] Allocated by task 2209:\n[ 276.961756] kasan_save_stack+0x1e/0x40\n[ 276.962170] kasan_set_track+0x21/0x30\n[ 276.962557] __kasan_kmalloc+0x7e/0x90\n[ 276.962923] __kmalloc+0x5b/0x140\n[ 276.963308] iscsi_alloc_session+0x28/0x840 [scsi_transport_iscsi]\n[ 276.963712] iscsi_session_setup+0xda/0xba0 [libiscsi]\n[ 276.964078] iscsi_sw_tcp_session_create+0x1fd/0x330 [iscsi_tcp]\n[ 276.964431] iscsi_if_create_session.isra.0+0x50/0x260 [scsi_transport_iscsi]\n[ 276.964793] iscsi_if_recv_msg+0xc5a/0x2660 [scsi_transport_iscsi]\n[ 276.965153] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[ 276.965546] netlink_unicast+0x4d5/0x7b0\n[ 276.965905] netlink_sendmsg+0x78d/0xc30\n[ 276.966236] sock_sendmsg+0xe5/0x120\n[ 276.966576] ____sys_sendmsg+0x5fe/0x860\n[ 276.966923] ___sys_sendmsg+0xe0/0x170\n[ 276.967300] __sys_sendmsg+0xc8/0x170\n[ 276.967666] do_syscall_64+0x38/0x90\n[ 276.968028] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 276.968773] Freed by task 2209:\n[ 276.969111] kasan_save_stack+0x1e/0x40\n[ 276.969449] kasan_set_track+0x21/0x30\n[ 276.969789] kasan_save_free_info+0x2a/0x50\n[ 276.970146] __kasan_slab_free+0x106/0x190\n[ 276.970470] __kmem_cache_free+0x133/0x270\n[ 276.970816] device_release+0x98/0x210\n[ 276.971145] kobject_cleanup+0x101/0x360\n[ 276.971462] iscsi_session_teardown+0x3fb/0x530 [libiscsi]\n[ 276.971775] iscsi_sw_tcp_session_destroy+0xd8/0x130 [iscsi_tcp]\n[ 276.972143] iscsi_if_recv_msg+0x1bf1/0x2660 [scsi_transport_iscsi]\n[ 276.972485] iscsi_if_rx+0x198/0x4b0 [scsi_transport_iscsi]\n[ 276.972808] netlink_unicast+0x4d5/0x7b0\n[ 276.973201] netlink_sendmsg+0x78d/0xc30\n[ 276.973544] sock_sendmsg+0xe5/0x120\n[ 276.973864] ____sys_sendmsg+0x5fe/0x860\n[ 276.974248] ___sys_\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:38.419Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/17b738590b97fb3fc287289971d1519ff9b875a1"
},
{
"url": "https://git.kernel.org/stable/c/8859687f5b242c0b057461df0a9ff51d5500783b"
},
{
"url": "https://git.kernel.org/stable/c/6f1d64b13097e85abda0f91b5638000afc5f9a06"
}
],
"title": "scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52975",
"datePublished": "2025-03-27T16:43:15.322Z",
"dateReserved": "2025-03-27T16:40:15.737Z",
"dateUpdated": "2025-05-04T07:46:38.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52988 (GCVE-0-2023-52988)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path()
snd_hda_get_connections() can return a negative error code.
It may lead to accessing 'conn' array at a negative index.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac Version: 30b4503378c976cf66201a1e81820519f6bd79ac |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/pci/hda/patch_via.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "437e50ef6290ac835d526d0e45f466a0aa69ba1b",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "6e1f586ddec48d71016b81acf68ba9f49ca54db8",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "d6870f3800dbb212ae8433183ee82f566d067c6c",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "2b557fa635e7487f638c0f030c305870839eeda2",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "1b9256c96220bcdba287eeeb90e7c910c77f8c46",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "f011360ad234a07cb6fbcc720fff646a93a9f0d6",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
},
{
"lessThan": "b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa",
"status": "affected",
"version": "30b4503378c976cf66201a1e81820519f6bd79ac",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/pci/hda/patch_via.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.1"
},
{
"lessThan": "3.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path()\n\nsnd_hda_get_connections() can return a negative error code.\nIt may lead to accessing \u0027conn\u0027 array at a negative index.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:00.427Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/437e50ef6290ac835d526d0e45f466a0aa69ba1b"
},
{
"url": "https://git.kernel.org/stable/c/6e1f586ddec48d71016b81acf68ba9f49ca54db8"
},
{
"url": "https://git.kernel.org/stable/c/d6870f3800dbb212ae8433183ee82f566d067c6c"
},
{
"url": "https://git.kernel.org/stable/c/2b557fa635e7487f638c0f030c305870839eeda2"
},
{
"url": "https://git.kernel.org/stable/c/1b9256c96220bcdba287eeeb90e7c910c77f8c46"
},
{
"url": "https://git.kernel.org/stable/c/f011360ad234a07cb6fbcc720fff646a93a9f0d6"
},
{
"url": "https://git.kernel.org/stable/c/b9cee506da2b7920b5ea02ccd8e78a907d0ee7aa"
}
],
"title": "ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52988",
"datePublished": "2025-03-27T16:43:25.056Z",
"dateReserved": "2025-03-27T16:40:15.741Z",
"dateUpdated": "2025-05-04T07:47:00.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52936 (GCVE-0-2023-52936)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
kernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it,
otherwise the memory will leak over time. To make things simpler, just
call debugfs_lookup_and_remove() instead which handles all of the logic
at once.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/irq/irqdomain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "066ecbf1a53eb0b92b10c8df7808666be6ea5681",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cf1c917bf1c761a557b26410024e90057646c049",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d83d7ed260283560700d4034a80baad46620481b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/irq/irqdomain.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:21.372Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/066ecbf1a53eb0b92b10c8df7808666be6ea5681"
},
{
"url": "https://git.kernel.org/stable/c/cf1c917bf1c761a557b26410024e90057646c049"
},
{
"url": "https://git.kernel.org/stable/c/d83d7ed260283560700d4034a80baad46620481b"
}
],
"title": "kernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52936",
"datePublished": "2025-03-27T16:37:16.130Z",
"dateReserved": "2024-08-21T06:07:11.021Z",
"dateUpdated": "2025-05-04T07:46:21.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21875 (GCVE-0-2025-21875)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mptcp: always handle address removal under msk socket lock
Syzkaller reported a lockdep splat in the PM control path:
WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline]
WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline]
WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788
Modules linked in:
CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline]
RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline]
RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788
Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff
RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283
RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000
RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408
RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000
R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0
R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00
FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59
mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486
mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline]
mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629
genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348
netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg+0x221/0x270 net/socket.c:733
____sys_sendmsg+0x53a/0x860 net/socket.c:2573
___sys_sendmsg net/socket.c:2627 [inline]
__sys_sendmsg+0x269/0x350 net/socket.c:2659
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7e9998cde9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9
RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007
RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088
Indeed the PM can try to send a RM_ADDR over a msk without acquiring
first the msk socket lock.
The bugged code-path comes from an early optimization: when there
are no subflows, the PM should (usually) not send RM_ADDR
notifications.
The above statement is incorrect, as without locks another process
could concur
---truncated---
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: b6c08380860b926752d57c8fa9911fa388c4b876 Version: b6c08380860b926752d57c8fa9911fa388c4b876 Version: b6c08380860b926752d57c8fa9911fa388c4b876 Version: b6c08380860b926752d57c8fa9911fa388c4b876 Version: b6c08380860b926752d57c8fa9911fa388c4b876 Version: b6c08380860b926752d57c8fa9911fa388c4b876 Version: b6c08380860b926752d57c8fa9911fa388c4b876 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "494ec285535632732eaa5786297a9ae4f731b5ff",
"status": "affected",
"version": "b6c08380860b926752d57c8fa9911fa388c4b876",
"versionType": "git"
},
{
"lessThan": "7cca31035c05819643ffb5d7518e9a331b3f6651",
"status": "affected",
"version": "b6c08380860b926752d57c8fa9911fa388c4b876",
"versionType": "git"
},
{
"lessThan": "8116fb4acd5d3f06cd37f84887dbe962b6703b1c",
"status": "affected",
"version": "b6c08380860b926752d57c8fa9911fa388c4b876",
"versionType": "git"
},
{
"lessThan": "a05da2be18aae7e82572f8d795f41bb49f5dfc7d",
"status": "affected",
"version": "b6c08380860b926752d57c8fa9911fa388c4b876",
"versionType": "git"
},
{
"lessThan": "4124b782ec2b1e2e490cf0bbf10f53dfd3479890",
"status": "affected",
"version": "b6c08380860b926752d57c8fa9911fa388c4b876",
"versionType": "git"
},
{
"lessThan": "2c3de6dff4373f1036e003f49a32629359530bdb",
"status": "affected",
"version": "b6c08380860b926752d57c8fa9911fa388c4b876",
"versionType": "git"
},
{
"lessThan": "f865c24bc55158313d5779fc81116023a6940ca3",
"status": "affected",
"version": "b6c08380860b926752d57c8fa9911fa388c4b876",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mptcp/pm_netlink.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: always handle address removal under msk socket lock\n\nSyzkaller reported a lockdep splat in the PM control path:\n\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline]\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n Modules linked in:\n CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0\n Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\n RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline]\n RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 \u003c0f\u003e 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff\n RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283\n RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000\n RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408\n RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000\n R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0\n R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00\n FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59\n mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486\n mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline]\n mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629\n genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210\n netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892\n sock_sendmsg_nosec net/socket.c:718 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:733\n ____sys_sendmsg+0x53a/0x860 net/socket.c:2573\n ___sys_sendmsg net/socket.c:2627 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2659\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f7e9998cde9\n Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9\n RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007\n RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088\n\nIndeed the PM can try to send a RM_ADDR over a msk without acquiring\nfirst the msk socket lock.\n\nThe bugged code-path comes from an early optimization: when there\nare no subflows, the PM should (usually) not send RM_ADDR\nnotifications.\n\nThe above statement is incorrect, as without locks another process\ncould concur\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:01.132Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/494ec285535632732eaa5786297a9ae4f731b5ff"
},
{
"url": "https://git.kernel.org/stable/c/7cca31035c05819643ffb5d7518e9a331b3f6651"
},
{
"url": "https://git.kernel.org/stable/c/8116fb4acd5d3f06cd37f84887dbe962b6703b1c"
},
{
"url": "https://git.kernel.org/stable/c/a05da2be18aae7e82572f8d795f41bb49f5dfc7d"
},
{
"url": "https://git.kernel.org/stable/c/4124b782ec2b1e2e490cf0bbf10f53dfd3479890"
},
{
"url": "https://git.kernel.org/stable/c/2c3de6dff4373f1036e003f49a32629359530bdb"
},
{
"url": "https://git.kernel.org/stable/c/f865c24bc55158313d5779fc81116023a6940ca3"
}
],
"title": "mptcp: always handle address removal under msk socket lock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21875",
"datePublished": "2025-03-27T14:57:06.154Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:23:01.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52941 (GCVE-0-2023-52941)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 12:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
can: isotp: split tx timer into transmission and timeout
The timer for the transmission of isotp PDUs formerly had two functions:
1. send two consecutive frames with a given time gap
2. monitor the timeouts for flow control frames and the echo frames
This led to larger txstate checks and potentially to a problem discovered
by syzbot which enabled the panic_on_warn feature while testing.
The former 'txtimer' function is split into 'txfrtimer' and 'txtimer'
to handle the two above functionalities with separate timer callbacks.
The two simplified timers now run in one-shot mode and make the state
transitions (especially with isotp_rcv_echo) better understandable.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/can/isotp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cae4c9bc35f72af5d4a079bb9d9fd62c4088a411",
"status": "affected",
"version": "866337865f3747c68a3e7bb837611e39cec1ecd6",
"versionType": "git"
},
{
"lessThan": "4f027cba8216f42a18b544842efab134f8b1f9f4",
"status": "affected",
"version": "866337865f3747c68a3e7bb837611e39cec1ecd6",
"versionType": "git"
},
{
"status": "affected",
"version": "3cb476cf834edca47f4470c276feb0f519401fb7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/can/isotp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: isotp: split tx timer into transmission and timeout\n\nThe timer for the transmission of isotp PDUs formerly had two functions:\n1. send two consecutive frames with a given time gap\n2. monitor the timeouts for flow control frames and the echo frames\n\nThis led to larger txstate checks and potentially to a problem discovered\nby syzbot which enabled the panic_on_warn feature while testing.\n\nThe former \u0027txtimer\u0027 function is split into \u0027txfrtimer\u0027 and \u0027txtimer\u0027\nto handle the two above functionalities with separate timer callbacks.\n\nThe two simplified timers now run in one-shot mode and make the state\ntransitions (especially with isotp_rcv_echo) better understandable."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:55.905Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cae4c9bc35f72af5d4a079bb9d9fd62c4088a411"
},
{
"url": "https://git.kernel.org/stable/c/4f027cba8216f42a18b544842efab134f8b1f9f4"
}
],
"title": "can: isotp: split tx timer into transmission and timeout",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52941",
"datePublished": "2025-03-27T16:37:19.469Z",
"dateReserved": "2024-08-21T06:07:11.022Z",
"dateUpdated": "2025-05-04T12:49:55.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53003 (GCVE-0-2023-53003)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info
The memory for llcc_driv_data is allocated by the LLCC driver. But when
it is passed as the private driver info to the EDAC core, it will get freed
during the qcom_edac driver release. So when the qcom_edac driver gets probed
again, it will try to use the freed data leading to the use-after-free bug.
Hence, do not pass llcc_driv_data as pvt_info but rather reference it
using the platform_data pointer in the qcom_edac driver.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 27450653f1db0b9d5b5048a246c850c52ee4aa61 Version: 27450653f1db0b9d5b5048a246c850c52ee4aa61 Version: 27450653f1db0b9d5b5048a246c850c52ee4aa61 Version: 27450653f1db0b9d5b5048a246c850c52ee4aa61 Version: 27450653f1db0b9d5b5048a246c850c52ee4aa61 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:19:22.796508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:21:57.079Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/edac/qcom_edac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "66e10d5f399629ef7877304d9ba2b35d0474e7eb",
"status": "affected",
"version": "27450653f1db0b9d5b5048a246c850c52ee4aa61",
"versionType": "git"
},
{
"lessThan": "76d9ebb7f0bc10fbc78b6d576751552edf743968",
"status": "affected",
"version": "27450653f1db0b9d5b5048a246c850c52ee4aa61",
"versionType": "git"
},
{
"lessThan": "bff5243bd32661cf9ce66f6d9210fc8f89bda145",
"status": "affected",
"version": "27450653f1db0b9d5b5048a246c850c52ee4aa61",
"versionType": "git"
},
{
"lessThan": "6f0351d0c311951b8b3064db91e61841e85b2b96",
"status": "affected",
"version": "27450653f1db0b9d5b5048a246c850c52ee4aa61",
"versionType": "git"
},
{
"lessThan": "977c6ba624f24ae20cf0faee871257a39348d4a9",
"status": "affected",
"version": "27450653f1db0b9d5b5048a246c850c52ee4aa61",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/edac/qcom_edac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info\u0027s pvt_info\n\nThe memory for llcc_driv_data is allocated by the LLCC driver. But when\nit is passed as the private driver info to the EDAC core, it will get freed\nduring the qcom_edac driver release. So when the qcom_edac driver gets probed\nagain, it will try to use the freed data leading to the use-after-free bug.\n\nHence, do not pass llcc_driv_data as pvt_info but rather reference it\nusing the platform_data pointer in the qcom_edac driver."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:19.184Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/66e10d5f399629ef7877304d9ba2b35d0474e7eb"
},
{
"url": "https://git.kernel.org/stable/c/76d9ebb7f0bc10fbc78b6d576751552edf743968"
},
{
"url": "https://git.kernel.org/stable/c/bff5243bd32661cf9ce66f6d9210fc8f89bda145"
},
{
"url": "https://git.kernel.org/stable/c/6f0351d0c311951b8b3064db91e61841e85b2b96"
},
{
"url": "https://git.kernel.org/stable/c/977c6ba624f24ae20cf0faee871257a39348d4a9"
}
],
"title": "EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info\u0027s pvt_info",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53003",
"datePublished": "2025-03-27T16:43:35.155Z",
"dateReserved": "2025-03-27T16:40:15.744Z",
"dateUpdated": "2025-05-04T07:47:19.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49753 (GCVE-0-2022-49753)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: Fix double increment of client_count in dma_chan_get()
The first time dma_chan_get() is called for a channel the channel
client_count is incorrectly incremented twice for public channels,
first in balance_ref_count(), and again prior to returning. This
results in an incorrect client count which will lead to the
channel resources not being freed when they should be. A simple
test of repeated module load and unload of async_tx on a Dell
Power Edge R7425 also shows this resulting in a kref underflow
warning.
[ 124.329662] async_tx: api initialized (async)
[ 129.000627] async_tx: api initialized (async)
[ 130.047839] ------------[ cut here ]------------
[ 130.052472] refcount_t: underflow; use-after-free.
[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28
refcount_warn_saturate+0xba/0x110
[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr
intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm
mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si
syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops
k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat
fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul
libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas
i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash
dm_log dm_mod [last unloaded: async_tx]
[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not
tainted 5.14.0-185.el9.x86_64 #1
[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS
1.18.0 01/17/2022
[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110
[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d
26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a
bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff
48 c7
[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286
[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000
[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0
[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff
[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970
[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000)
knlGS:0000000000000000
[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0
[ 130.219729] Call Trace:
[ 130.222192] <TASK>
[ 130.224305] dma_chan_put+0x10d/0x110
[ 130.227988] dmaengine_put+0x7a/0xa0
[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280
[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0
[ 130.242652] do_syscall_64+0x5c/0x90
[ 130.246240] ? exc_page_fault+0x62/0x150
[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 130.255243] RIP: 0033:0x7f6463a3f5ab
[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48
83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89
01 48
[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab
[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8
[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000
[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8
[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8
[ 130.320875] </TASK>
[ 130.323081] ---[ end trace eff7156d56b5cf25 ]---
cat /sys/class/dma/dma0chan*/in_use would get the wrong result.
2
2
2
Test-by: Jie Hai <haijie1@huawei.com>
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 Version: d2f4f99db3e9ec8b063cf2e45704e2bb95428317 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:22:36.398911Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:31:59.515Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/dmaengine.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1b409e14b4b7af034e0450f95c165b6c5c87dbc1",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "c6221afe573413fd2981e291f7df4a58283e0654",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "18dd3b30d4c7e8440c63118c7a7b687372b9567f",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "42ecd72f02cd657b00b559621e7ef7d2c4d3e5f1",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "71c601965532c38030133535f7cd93c1efa75af1",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "142d644fd2cc059ffa042fbfb68e766433ef3afd",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
},
{
"lessThan": "f3dc1b3b4750851a94212dba249703dd0e50bb20",
"status": "affected",
"version": "d2f4f99db3e9ec8b063cf2e45704e2bb95428317",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/dmaengine.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: Fix double increment of client_count in dma_chan_get()\n\nThe first time dma_chan_get() is called for a channel the channel\nclient_count is incorrectly incremented twice for public channels,\nfirst in balance_ref_count(), and again prior to returning. This\nresults in an incorrect client count which will lead to the\nchannel resources not being freed when they should be. A simple\n test of repeated module load and unload of async_tx on a Dell\n Power Edge R7425 also shows this resulting in a kref underflow\n warning.\n\n[ 124.329662] async_tx: api initialized (async)\n[ 129.000627] async_tx: api initialized (async)\n[ 130.047839] ------------[ cut here ]------------\n[ 130.052472] refcount_t: underflow; use-after-free.\n[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28\nrefcount_warn_saturate+0xba/0x110\n[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr\nintel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm\nmgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si\nsyscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops\nk10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat\nfat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul\nlibahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas\ni40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash\ndm_log dm_mod [last unloaded: async_tx]\n[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not\ntainted 5.14.0-185.el9.x86_64 #1\n[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS\n1.18.0 01/17/2022\n[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110\n[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d\n26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a\nbd 55 00 \u003c0f\u003e 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff\n48 c7\n[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286\n[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000\n[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0\n[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff\n[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970\n[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000)\nknlGS:0000000000000000\n[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0\n[ 130.219729] Call Trace:\n[ 130.222192] \u003cTASK\u003e\n[ 130.224305] dma_chan_put+0x10d/0x110\n[ 130.227988] dmaengine_put+0x7a/0xa0\n[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280\n[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0\n[ 130.242652] do_syscall_64+0x5c/0x90\n[ 130.246240] ? exc_page_fault+0x62/0x150\n[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 130.255243] RIP: 0033:0x7f6463a3f5ab\n[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48\n83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00\n00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89\n01 48\n[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:\n00000000000000b0\n[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab\n[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8\n[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000\n[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8\n[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8\n[ 130.320875] \u003c/TASK\u003e\n[ 130.323081] ---[ end trace eff7156d56b5cf25 ]---\n\ncat /sys/class/dma/dma0chan*/in_use would get the wrong result.\n2\n2\n2\n\nTest-by: Jie Hai \u003chaijie1@huawei.com\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:39.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1b409e14b4b7af034e0450f95c165b6c5c87dbc1"
},
{
"url": "https://git.kernel.org/stable/c/c6221afe573413fd2981e291f7df4a58283e0654"
},
{
"url": "https://git.kernel.org/stable/c/18dd3b30d4c7e8440c63118c7a7b687372b9567f"
},
{
"url": "https://git.kernel.org/stable/c/42ecd72f02cd657b00b559621e7ef7d2c4d3e5f1"
},
{
"url": "https://git.kernel.org/stable/c/71c601965532c38030133535f7cd93c1efa75af1"
},
{
"url": "https://git.kernel.org/stable/c/142d644fd2cc059ffa042fbfb68e766433ef3afd"
},
{
"url": "https://git.kernel.org/stable/c/f3dc1b3b4750851a94212dba249703dd0e50bb20"
}
],
"title": "dmaengine: Fix double increment of client_count in dma_chan_get()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49753",
"datePublished": "2025-03-27T16:43:01.252Z",
"dateReserved": "2025-03-27T16:39:17.988Z",
"dateUpdated": "2025-05-04T08:44:39.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49752 (GCVE-0-2022-49752)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
device property: fix of node refcount leak in fwnode_graph_get_next_endpoint()
The 'parent' returned by fwnode_graph_get_port_parent()
with refcount incremented when 'prev' is not NULL, it
needs be put when finish using it.
Because the parent is const, introduce a new variable to
store the returned fwnode, then put it before returning
from fwnode_graph_get_next_endpoint().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/base/property.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7701a4bd45c11f9a289d8f262fad05705a012339",
"status": "affected",
"version": "b5b41ab6b0c1bb70fe37a0d193006c969e3b5909",
"versionType": "git"
},
{
"lessThan": "e75485fc589ec729cc182aa9b41dfb6c15ae6f6e",
"status": "affected",
"version": "b5b41ab6b0c1bb70fe37a0d193006c969e3b5909",
"versionType": "git"
},
{
"lessThan": "39af728649b05e88a2b40e714feeee6451c3f18e",
"status": "affected",
"version": "b5b41ab6b0c1bb70fe37a0d193006c969e3b5909",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/base/property.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevice property: fix of node refcount leak in fwnode_graph_get_next_endpoint()\n\nThe \u0027parent\u0027 returned by fwnode_graph_get_port_parent()\nwith refcount incremented when \u0027prev\u0027 is not NULL, it\nneeds be put when finish using it.\n\nBecause the parent is const, introduce a new variable to\nstore the returned fwnode, then put it before returning\nfrom fwnode_graph_get_next_endpoint()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:37.672Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7701a4bd45c11f9a289d8f262fad05705a012339"
},
{
"url": "https://git.kernel.org/stable/c/e75485fc589ec729cc182aa9b41dfb6c15ae6f6e"
},
{
"url": "https://git.kernel.org/stable/c/39af728649b05e88a2b40e714feeee6451c3f18e"
}
],
"title": "device property: fix of node refcount leak in fwnode_graph_get_next_endpoint()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49752",
"datePublished": "2025-03-27T16:43:00.584Z",
"dateReserved": "2025-03-27T16:39:17.988Z",
"dateUpdated": "2025-05-04T08:44:37.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21884 (GCVE-0-2025-21884)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: better track kernel sockets lifetime
While kernel sockets are dismantled during pernet_operations->exit(),
their freeing can be delayed by any tx packets still held in qdisc
or device queues, due to skb_set_owner_w() prior calls.
This then trigger the following warning from ref_tracker_dir_exit() [1]
To fix this, make sure that kernel sockets own a reference on net->passive.
Add sk_net_refcnt_upgrade() helper, used whenever a kernel socket
is converted to a refcounted one.
[1]
[ 136.263918][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at
[ 136.263918][ T35] sk_alloc+0x2b3/0x370
[ 136.263918][ T35] inet6_create+0x6ce/0x10f0
[ 136.263918][ T35] __sock_create+0x4c0/0xa30
[ 136.263918][ T35] inet_ctl_sock_create+0xc2/0x250
[ 136.263918][ T35] igmp6_net_init+0x39/0x390
[ 136.263918][ T35] ops_init+0x31e/0x590
[ 136.263918][ T35] setup_net+0x287/0x9e0
[ 136.263918][ T35] copy_net_ns+0x33f/0x570
[ 136.263918][ T35] create_new_namespaces+0x425/0x7b0
[ 136.263918][ T35] unshare_nsproxy_namespaces+0x124/0x180
[ 136.263918][ T35] ksys_unshare+0x57d/0xa70
[ 136.263918][ T35] __x64_sys_unshare+0x38/0x40
[ 136.263918][ T35] do_syscall_64+0xf3/0x230
[ 136.263918][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 136.263918][ T35]
[ 136.343488][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at
[ 136.343488][ T35] sk_alloc+0x2b3/0x370
[ 136.343488][ T35] inet6_create+0x6ce/0x10f0
[ 136.343488][ T35] __sock_create+0x4c0/0xa30
[ 136.343488][ T35] inet_ctl_sock_create+0xc2/0x250
[ 136.343488][ T35] ndisc_net_init+0xa7/0x2b0
[ 136.343488][ T35] ops_init+0x31e/0x590
[ 136.343488][ T35] setup_net+0x287/0x9e0
[ 136.343488][ T35] copy_net_ns+0x33f/0x570
[ 136.343488][ T35] create_new_namespaces+0x425/0x7b0
[ 136.343488][ T35] unshare_nsproxy_namespaces+0x124/0x180
[ 136.343488][ T35] ksys_unshare+0x57d/0xa70
[ 136.343488][ T35] __x64_sys_unshare+0x38/0x40
[ 136.343488][ T35] do_syscall_64+0xf3/0x230
[ 136.343488][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sock.h",
"net/core/sock.c",
"net/mptcp/subflow.c",
"net/netlink/af_netlink.c",
"net/rds/tcp.c",
"net/smc/af_smc.c",
"net/sunrpc/svcsock.c",
"net/sunrpc/xprtsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c31a732fac46b00b95b78fcc9c37cb48dd6f2e0c",
"status": "affected",
"version": "0cafd77dcd032d1687efaba5598cf07bce85997f",
"versionType": "git"
},
{
"lessThan": "5c70eb5c593d64d93b178905da215a9fd288a4b5",
"status": "affected",
"version": "0cafd77dcd032d1687efaba5598cf07bce85997f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sock.h",
"net/core/sock.c",
"net/mptcp/subflow.c",
"net/netlink/af_netlink.c",
"net/rds/tcp.c",
"net/smc/af_smc.c",
"net/sunrpc/svcsock.c",
"net/sunrpc/xprtsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: better track kernel sockets lifetime\n\nWhile kernel sockets are dismantled during pernet_operations-\u003eexit(),\ntheir freeing can be delayed by any tx packets still held in qdisc\nor device queues, due to skb_set_owner_w() prior calls.\n\nThis then trigger the following warning from ref_tracker_dir_exit() [1]\n\nTo fix this, make sure that kernel sockets own a reference on net-\u003epassive.\n\nAdd sk_net_refcnt_upgrade() helper, used whenever a kernel socket\nis converted to a refcounted one.\n\n[1]\n\n[ 136.263918][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at\n[ 136.263918][ T35] sk_alloc+0x2b3/0x370\n[ 136.263918][ T35] inet6_create+0x6ce/0x10f0\n[ 136.263918][ T35] __sock_create+0x4c0/0xa30\n[ 136.263918][ T35] inet_ctl_sock_create+0xc2/0x250\n[ 136.263918][ T35] igmp6_net_init+0x39/0x390\n[ 136.263918][ T35] ops_init+0x31e/0x590\n[ 136.263918][ T35] setup_net+0x287/0x9e0\n[ 136.263918][ T35] copy_net_ns+0x33f/0x570\n[ 136.263918][ T35] create_new_namespaces+0x425/0x7b0\n[ 136.263918][ T35] unshare_nsproxy_namespaces+0x124/0x180\n[ 136.263918][ T35] ksys_unshare+0x57d/0xa70\n[ 136.263918][ T35] __x64_sys_unshare+0x38/0x40\n[ 136.263918][ T35] do_syscall_64+0xf3/0x230\n[ 136.263918][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n[ 136.263918][ T35]\n[ 136.343488][ T35] ref_tracker: net notrefcnt@ffff8880638f01e0 has 1/2 users at\n[ 136.343488][ T35] sk_alloc+0x2b3/0x370\n[ 136.343488][ T35] inet6_create+0x6ce/0x10f0\n[ 136.343488][ T35] __sock_create+0x4c0/0xa30\n[ 136.343488][ T35] inet_ctl_sock_create+0xc2/0x250\n[ 136.343488][ T35] ndisc_net_init+0xa7/0x2b0\n[ 136.343488][ T35] ops_init+0x31e/0x590\n[ 136.343488][ T35] setup_net+0x287/0x9e0\n[ 136.343488][ T35] copy_net_ns+0x33f/0x570\n[ 136.343488][ T35] create_new_namespaces+0x425/0x7b0\n[ 136.343488][ T35] unshare_nsproxy_namespaces+0x124/0x180\n[ 136.343488][ T35] ksys_unshare+0x57d/0xa70\n[ 136.343488][ T35] __x64_sys_unshare+0x38/0x40\n[ 136.343488][ T35] do_syscall_64+0xf3/0x230\n[ 136.343488][ T35] entry_SYSCALL_64_after_hwframe+0x77/0x7f"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:17.947Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c31a732fac46b00b95b78fcc9c37cb48dd6f2e0c"
},
{
"url": "https://git.kernel.org/stable/c/5c70eb5c593d64d93b178905da215a9fd288a4b5"
}
],
"title": "net: better track kernel sockets lifetime",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21884",
"datePublished": "2025-03-27T14:57:12.486Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:17.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21886 (GCVE-0-2025-21886)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix implicit ODP hang on parent deregistration
Fix the destroy_unused_implicit_child_mr() to prevent hanging during
parent deregistration as of below [1].
Upon entering destroy_unused_implicit_child_mr(), the reference count
for the implicit MR parent is incremented using:
refcount_inc_not_zero().
A corresponding decrement must be performed if
free_implicit_child_mr_work() is not called.
The code has been updated to properly manage the reference count that
was incremented.
[1]
INFO: task python3:2157 blocked for more than 120 seconds.
Not tainted 6.12.0-rc7+ #1633
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:python3 state:D stack:0 pid:2157 tgid:2157 ppid:1685 flags:0x00000000
Call Trace:
<TASK>
__schedule+0x420/0xd30
schedule+0x47/0x130
__mlx5_ib_dereg_mr+0x379/0x5d0 [mlx5_ib]
? __pfx_autoremove_wake_function+0x10/0x10
ib_dereg_mr_user+0x5f/0x120 [ib_core]
? lock_release+0xc6/0x280
destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]
uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]
uobj_destroy+0x3f/0x70 [ib_uverbs]
ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]
? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]
? lock_acquire+0xc1/0x2f0
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]
? lock_release+0xc6/0x280
ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
__x64_sys_ioctl+0x1b0/0xa70
? kmem_cache_free+0x221/0x400
do_syscall_64+0x6b/0x140
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f20f21f017b
RSP: 002b:00007ffcfc4a77c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffcfc4a78d8 RCX: 00007f20f21f017b
RDX: 00007ffcfc4a78c0 RSI: 00000000c0181b01 RDI: 0000000000000003
RBP: 00007ffcfc4a78a0 R08: 000056147d125190 R09: 00007f20f1f14c60
R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffcfc4a7890
R13: 000000000000001c R14: 000056147d100fc0 R15: 00007f20e365c9d0
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/odp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb96ae783e7249e8e5a50c22952c0bb2983133df",
"status": "affected",
"version": "7cc8f681f6d4ae4478ae0f60485fc768f2b450da",
"versionType": "git"
},
{
"lessThan": "a095ede2daca49d15e74d66d014883f2fa8bb924",
"status": "affected",
"version": "edfb65dbb9ffd3102f3ff4dd21316158e56f1976",
"versionType": "git"
},
{
"lessThan": "3d8c6f26893d55fab218ad086719de1fc9bb86ba",
"status": "affected",
"version": "d3d930411ce390e532470194296658a960887773",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/odp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.12.18",
"status": "affected",
"version": "6.12.13",
"versionType": "semver"
},
{
"lessThan": "6.13.6",
"status": "affected",
"version": "6.13.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.12.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.13.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix implicit ODP hang on parent deregistration\n\nFix the destroy_unused_implicit_child_mr() to prevent hanging during\nparent deregistration as of below [1].\n\nUpon entering destroy_unused_implicit_child_mr(), the reference count\nfor the implicit MR parent is incremented using:\nrefcount_inc_not_zero().\n\nA corresponding decrement must be performed if\nfree_implicit_child_mr_work() is not called.\n\nThe code has been updated to properly manage the reference count that\nwas incremented.\n\n[1]\nINFO: task python3:2157 blocked for more than 120 seconds.\nNot tainted 6.12.0-rc7+ #1633\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:python3 state:D stack:0 pid:2157 tgid:2157 ppid:1685 flags:0x00000000\nCall Trace:\n\u003cTASK\u003e\n__schedule+0x420/0xd30\nschedule+0x47/0x130\n__mlx5_ib_dereg_mr+0x379/0x5d0 [mlx5_ib]\n? __pfx_autoremove_wake_function+0x10/0x10\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]\n? lock_release+0xc6/0x280\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n __x64_sys_ioctl+0x1b0/0xa70\n? kmem_cache_free+0x221/0x400\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f20f21f017b\nRSP: 002b:00007ffcfc4a77c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffcfc4a78d8 RCX: 00007f20f21f017b\nRDX: 00007ffcfc4a78c0 RSI: 00000000c0181b01 RDI: 0000000000000003\nRBP: 00007ffcfc4a78a0 R08: 000056147d125190 R09: 00007f20f1f14c60\nR10: 0000000000000001 R11: 0000000000000246 R12: 00007ffcfc4a7890\nR13: 000000000000001c R14: 000056147d100fc0 R15: 00007f20e365c9d0\n\u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:20.708Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb96ae783e7249e8e5a50c22952c0bb2983133df"
},
{
"url": "https://git.kernel.org/stable/c/a095ede2daca49d15e74d66d014883f2fa8bb924"
},
{
"url": "https://git.kernel.org/stable/c/3d8c6f26893d55fab218ad086719de1fc9bb86ba"
}
],
"title": "RDMA/mlx5: Fix implicit ODP hang on parent deregistration",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21886",
"datePublished": "2025-03-27T14:57:13.923Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:20.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53000 (GCVE-0-2023-53000)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netlink: prevent potential spectre v1 gadgets
Most netlink attributes are parsed and validated from
__nla_validate_parse() or validate_nla()
u16 type = nla_type(nla);
if (type == 0 || type > maxtype) {
/* error or continue */
}
@type is then used as an array index and can be used
as a Spectre v1 gadget.
array_index_nospec() can be used to prevent leaking
content of kernel memory to malicious users.
This should take care of vast majority of netlink uses,
but an audit is needed to take care of others where
validation is not yet centralized in core netlink functions.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: bfa83a9e03cf8d501c6272999843470afecb32ed Version: bfa83a9e03cf8d501c6272999843470afecb32ed Version: bfa83a9e03cf8d501c6272999843470afecb32ed Version: bfa83a9e03cf8d501c6272999843470afecb32ed Version: bfa83a9e03cf8d501c6272999843470afecb32ed |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"lib/nlattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e5082b1c66c7783fbcd79b5b178573230e528ff",
"status": "affected",
"version": "bfa83a9e03cf8d501c6272999843470afecb32ed",
"versionType": "git"
},
{
"lessThan": "539ca5dcbc91134bbe2c45677811c31d8b030d2d",
"status": "affected",
"version": "bfa83a9e03cf8d501c6272999843470afecb32ed",
"versionType": "git"
},
{
"lessThan": "41b74e95f297ac360ca7ed6bf200100717cb6c45",
"status": "affected",
"version": "bfa83a9e03cf8d501c6272999843470afecb32ed",
"versionType": "git"
},
{
"lessThan": "992e4ff7116a77968039277b5d6aaa535c2f2184",
"status": "affected",
"version": "bfa83a9e03cf8d501c6272999843470afecb32ed",
"versionType": "git"
},
{
"lessThan": "f0950402e8c76e7dcb08563f1b4e8000fbc62455",
"status": "affected",
"version": "bfa83a9e03cf8d501c6272999843470afecb32ed",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"lib/nlattr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: prevent potential spectre v1 gadgets\n\nMost netlink attributes are parsed and validated from\n__nla_validate_parse() or validate_nla()\n\n u16 type = nla_type(nla);\n\n if (type == 0 || type \u003e maxtype) {\n /* error or continue */\n }\n\n@type is then used as an array index and can be used\nas a Spectre v1 gadget.\n\narray_index_nospec() can be used to prevent leaking\ncontent of kernel memory to malicious users.\n\nThis should take care of vast majority of netlink uses,\nbut an audit is needed to take care of others where\nvalidation is not yet centralized in core netlink functions."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:15.178Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e5082b1c66c7783fbcd79b5b178573230e528ff"
},
{
"url": "https://git.kernel.org/stable/c/539ca5dcbc91134bbe2c45677811c31d8b030d2d"
},
{
"url": "https://git.kernel.org/stable/c/41b74e95f297ac360ca7ed6bf200100717cb6c45"
},
{
"url": "https://git.kernel.org/stable/c/992e4ff7116a77968039277b5d6aaa535c2f2184"
},
{
"url": "https://git.kernel.org/stable/c/f0950402e8c76e7dcb08563f1b4e8000fbc62455"
}
],
"title": "netlink: prevent potential spectre v1 gadgets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53000",
"datePublished": "2025-03-27T16:43:33.208Z",
"dateReserved": "2025-03-27T16:40:15.742Z",
"dateUpdated": "2025-05-04T07:47:15.178Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53011 (GCVE-0-2023-53011)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: stmmac: enable all safety features by default
In the original implementation of dwmac5
commit 8bf993a5877e ("net: stmmac: Add support for DWMAC5 and implement Safety Features")
all safety features were enabled by default.
Later it seems some implementations didn't have support for all the
features, so in
commit 5ac712dcdfef ("net: stmmac: enable platform specific safety features")
the safety_feat_cfg structure was added to the callback and defined for
some platforms to selectively enable these safety features.
The problem is that only certain platforms were given that software
support. If the automotive safety package bit is set in the hardware
features register the safety feature callback is called for the platform,
and for platforms that didn't get a safety_feat_cfg defined this results
in the following NULL pointer dereference:
[ 7.933303] Call trace:
[ 7.935812] dwmac5_safety_feat_config+0x20/0x170 [stmmac]
[ 7.941455] __stmmac_open+0x16c/0x474 [stmmac]
[ 7.946117] stmmac_open+0x38/0x70 [stmmac]
[ 7.950414] __dev_open+0x100/0x1dc
[ 7.954006] __dev_change_flags+0x18c/0x204
[ 7.958297] dev_change_flags+0x24/0x6c
[ 7.962237] do_setlink+0x2b8/0xfa4
[ 7.965827] __rtnl_newlink+0x4ec/0x840
[ 7.969766] rtnl_newlink+0x50/0x80
[ 7.973353] rtnetlink_rcv_msg+0x12c/0x374
[ 7.977557] netlink_rcv_skb+0x5c/0x130
[ 7.981500] rtnetlink_rcv+0x18/0x2c
[ 7.985172] netlink_unicast+0x2e8/0x340
[ 7.989197] netlink_sendmsg+0x1a8/0x420
[ 7.993222] ____sys_sendmsg+0x218/0x280
[ 7.997249] ___sys_sendmsg+0xac/0x100
[ 8.001103] __sys_sendmsg+0x84/0xe0
[ 8.004776] __arm64_sys_sendmsg+0x24/0x30
[ 8.008983] invoke_syscall+0x48/0x114
[ 8.012840] el0_svc_common.constprop.0+0xcc/0xec
[ 8.017665] do_el0_svc+0x38/0xb0
[ 8.021071] el0_svc+0x2c/0x84
[ 8.024212] el0t_64_sync_handler+0xf4/0x120
[ 8.028598] el0t_64_sync+0x190/0x194
Go back to the original behavior, if the automotive safety package
is found to be supported in hardware enable all the features unless
safety_feat_cfg is passed in saying this particular platform only
supports a subset of the features.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/dwmac5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "120b8e527e07c65de7f2b9018dcd9d17e66f2427",
"status": "affected",
"version": "5ac712dcdfefb1a783384db85e0507d161e87812",
"versionType": "git"
},
{
"lessThan": "aebf7e62708ba706ee7bf484c9023b15c214e92a",
"status": "affected",
"version": "5ac712dcdfefb1a783384db85e0507d161e87812",
"versionType": "git"
},
{
"lessThan": "fdfc76a116b5e9d3e98e6c96fe83b42d011d21d4",
"status": "affected",
"version": "5ac712dcdfefb1a783384db85e0507d161e87812",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/stmicro/stmmac/dwmac5.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: enable all safety features by default\n\nIn the original implementation of dwmac5\ncommit 8bf993a5877e (\"net: stmmac: Add support for DWMAC5 and implement Safety Features\")\nall safety features were enabled by default.\n\nLater it seems some implementations didn\u0027t have support for all the\nfeatures, so in\ncommit 5ac712dcdfef (\"net: stmmac: enable platform specific safety features\")\nthe safety_feat_cfg structure was added to the callback and defined for\nsome platforms to selectively enable these safety features.\n\nThe problem is that only certain platforms were given that software\nsupport. If the automotive safety package bit is set in the hardware\nfeatures register the safety feature callback is called for the platform,\nand for platforms that didn\u0027t get a safety_feat_cfg defined this results\nin the following NULL pointer dereference:\n\n[ 7.933303] Call trace:\n[ 7.935812] dwmac5_safety_feat_config+0x20/0x170 [stmmac]\n[ 7.941455] __stmmac_open+0x16c/0x474 [stmmac]\n[ 7.946117] stmmac_open+0x38/0x70 [stmmac]\n[ 7.950414] __dev_open+0x100/0x1dc\n[ 7.954006] __dev_change_flags+0x18c/0x204\n[ 7.958297] dev_change_flags+0x24/0x6c\n[ 7.962237] do_setlink+0x2b8/0xfa4\n[ 7.965827] __rtnl_newlink+0x4ec/0x840\n[ 7.969766] rtnl_newlink+0x50/0x80\n[ 7.973353] rtnetlink_rcv_msg+0x12c/0x374\n[ 7.977557] netlink_rcv_skb+0x5c/0x130\n[ 7.981500] rtnetlink_rcv+0x18/0x2c\n[ 7.985172] netlink_unicast+0x2e8/0x340\n[ 7.989197] netlink_sendmsg+0x1a8/0x420\n[ 7.993222] ____sys_sendmsg+0x218/0x280\n[ 7.997249] ___sys_sendmsg+0xac/0x100\n[ 8.001103] __sys_sendmsg+0x84/0xe0\n[ 8.004776] __arm64_sys_sendmsg+0x24/0x30\n[ 8.008983] invoke_syscall+0x48/0x114\n[ 8.012840] el0_svc_common.constprop.0+0xcc/0xec\n[ 8.017665] do_el0_svc+0x38/0xb0\n[ 8.021071] el0_svc+0x2c/0x84\n[ 8.024212] el0t_64_sync_handler+0xf4/0x120\n[ 8.028598] el0t_64_sync+0x190/0x194\n\nGo back to the original behavior, if the automotive safety package\nis found to be supported in hardware enable all the features unless\nsafety_feat_cfg is passed in saying this particular platform only\nsupports a subset of the features."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:33.405Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/120b8e527e07c65de7f2b9018dcd9d17e66f2427"
},
{
"url": "https://git.kernel.org/stable/c/aebf7e62708ba706ee7bf484c9023b15c214e92a"
},
{
"url": "https://git.kernel.org/stable/c/fdfc76a116b5e9d3e98e6c96fe83b42d011d21d4"
}
],
"title": "net: stmmac: enable all safety features by default",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53011",
"datePublished": "2025-03-27T16:43:40.897Z",
"dateReserved": "2025-03-27T16:40:15.748Z",
"dateUpdated": "2025-05-04T07:47:33.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52994 (GCVE-0-2023-52994)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
acpi: Fix suspend with Xen PV
Commit f1e525009493 ("x86/boot: Skip realmode init code when running as
Xen PV guest") missed one code path accessing real_mode_header, leading
to dereferencing NULL when suspending the system under Xen:
[ 348.284004] PM: suspend entry (deep)
[ 348.289532] Filesystems sync: 0.005 seconds
[ 348.291545] Freezing user space processes ... (elapsed 0.000 seconds) done.
[ 348.292457] OOM killer disabled.
[ 348.292462] Freezing remaining freezable tasks ... (elapsed 0.104 seconds) done.
[ 348.396612] printk: Suspending console(s) (use no_console_suspend to debug)
[ 348.749228] PM: suspend devices took 0.352 seconds
[ 348.769713] ACPI: EC: interrupt blocked
[ 348.816077] BUG: kernel NULL pointer dereference, address: 000000000000001c
[ 348.816080] #PF: supervisor read access in kernel mode
[ 348.816081] #PF: error_code(0x0000) - not-present page
[ 348.816083] PGD 0 P4D 0
[ 348.816086] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 348.816089] CPU: 0 PID: 6764 Comm: systemd-sleep Not tainted 6.1.3-1.fc32.qubes.x86_64 #1
[ 348.816092] Hardware name: Star Labs StarBook/StarBook, BIOS 8.01 07/03/2022
[ 348.816093] RIP: e030:acpi_get_wakeup_address+0xc/0x20
Fix that by adding an optional acpi callback allowing to skip setting
the wakeup address, as in the Xen PV case this will be handled by the
hypervisor anyway.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/acpi.h",
"drivers/acpi/sleep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b96903b7fc8c82ddfd92df4cdd83db3e567da0a5",
"status": "affected",
"version": "b1898793777fe10a31c160bb8bc385d6eea640c6",
"versionType": "git"
},
{
"lessThan": "fe0ba8c23f9a35b0307eb662f16dd3a75fcdae41",
"status": "affected",
"version": "f1e525009493cbd569e7c8dd7d58157855f8658d",
"versionType": "git"
},
{
"status": "affected",
"version": "3414632beaadf635a4affd4ae278297978640965",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/include/asm/acpi.h",
"drivers/acpi/sleep.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.9",
"status": "affected",
"version": "6.1.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nacpi: Fix suspend with Xen PV\n\nCommit f1e525009493 (\"x86/boot: Skip realmode init code when running as\nXen PV guest\") missed one code path accessing real_mode_header, leading\nto dereferencing NULL when suspending the system under Xen:\n\n [ 348.284004] PM: suspend entry (deep)\n [ 348.289532] Filesystems sync: 0.005 seconds\n [ 348.291545] Freezing user space processes ... (elapsed 0.000 seconds) done.\n [ 348.292457] OOM killer disabled.\n [ 348.292462] Freezing remaining freezable tasks ... (elapsed 0.104 seconds) done.\n [ 348.396612] printk: Suspending console(s) (use no_console_suspend to debug)\n [ 348.749228] PM: suspend devices took 0.352 seconds\n [ 348.769713] ACPI: EC: interrupt blocked\n [ 348.816077] BUG: kernel NULL pointer dereference, address: 000000000000001c\n [ 348.816080] #PF: supervisor read access in kernel mode\n [ 348.816081] #PF: error_code(0x0000) - not-present page\n [ 348.816083] PGD 0 P4D 0\n [ 348.816086] Oops: 0000 [#1] PREEMPT SMP NOPTI\n [ 348.816089] CPU: 0 PID: 6764 Comm: systemd-sleep Not tainted 6.1.3-1.fc32.qubes.x86_64 #1\n [ 348.816092] Hardware name: Star Labs StarBook/StarBook, BIOS 8.01 07/03/2022\n [ 348.816093] RIP: e030:acpi_get_wakeup_address+0xc/0x20\n\nFix that by adding an optional acpi callback allowing to skip setting\nthe wakeup address, as in the Xen PV case this will be handled by the\nhypervisor anyway."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:02.360Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b96903b7fc8c82ddfd92df4cdd83db3e567da0a5"
},
{
"url": "https://git.kernel.org/stable/c/fe0ba8c23f9a35b0307eb662f16dd3a75fcdae41"
}
],
"title": "acpi: Fix suspend with Xen PV",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52994",
"datePublished": "2025-03-27T16:43:28.893Z",
"dateReserved": "2025-03-27T16:40:15.742Z",
"dateUpdated": "2025-05-04T12:50:02.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52932 (GCVE-0-2023-52932)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/swapfile: add cond_resched() in get_swap_pages()
The softlockup still occurs in get_swap_pages() under memory pressure. 64
CPU cores, 64GB memory, and 28 zram devices, the disksize of each zram
device is 50MB with same priority as si. Use the stress-ng tool to
increase memory pressure, causing the system to oom frequently.
The plist_for_each_entry_safe() loops in get_swap_pages() could reach tens
of thousands of times to find available space (extreme case:
cond_resched() is not called in scan_swap_map_slots()). Let's add
cond_resched() into get_swap_pages() when failed to find available space
to avoid softlockup.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/swapfile.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "29f0349c5c76b627fe06b87d4b13fa03a6ce8e64",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "387217b97e99699c34e6d95ce2b91b327fcd853e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d49c85a1913385eed46dd16a25ad0928253767f0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "30187be29052bba9203b0ae2bdd815e0bc2faaab",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "5dbe1ebd56470d03b78fc31491a9e4d433106ef2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "49178d4d61e78aed8c837dfeea8a450700f196e2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7717fc1a12f88701573f9ed897cc4f6699c661e3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/swapfile.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swapfile: add cond_resched() in get_swap_pages()\n\nThe softlockup still occurs in get_swap_pages() under memory pressure. 64\nCPU cores, 64GB memory, and 28 zram devices, the disksize of each zram\ndevice is 50MB with same priority as si. Use the stress-ng tool to\nincrease memory pressure, causing the system to oom frequently.\n\nThe plist_for_each_entry_safe() loops in get_swap_pages() could reach tens\nof thousands of times to find available space (extreme case:\ncond_resched() is not called in scan_swap_map_slots()). Let\u0027s add\ncond_resched() into get_swap_pages() when failed to find available space\nto avoid softlockup."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:16.323Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/29f0349c5c76b627fe06b87d4b13fa03a6ce8e64"
},
{
"url": "https://git.kernel.org/stable/c/387217b97e99699c34e6d95ce2b91b327fcd853e"
},
{
"url": "https://git.kernel.org/stable/c/d49c85a1913385eed46dd16a25ad0928253767f0"
},
{
"url": "https://git.kernel.org/stable/c/30187be29052bba9203b0ae2bdd815e0bc2faaab"
},
{
"url": "https://git.kernel.org/stable/c/5dbe1ebd56470d03b78fc31491a9e4d433106ef2"
},
{
"url": "https://git.kernel.org/stable/c/49178d4d61e78aed8c837dfeea8a450700f196e2"
},
{
"url": "https://git.kernel.org/stable/c/7717fc1a12f88701573f9ed897cc4f6699c661e3"
}
],
"title": "mm/swapfile: add cond_resched() in get_swap_pages()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52932",
"datePublished": "2025-03-27T16:37:13.594Z",
"dateReserved": "2024-08-21T06:07:11.019Z",
"dateUpdated": "2025-05-04T07:46:16.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52979 (GCVE-0-2023-52979)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
squashfs: harden sanity check in squashfs_read_xattr_id_table
While mounting a corrupted filesystem, a signed integer '*xattr_ids' can
become less than zero. This leads to the incorrect computation of 'len'
and 'indexes' values which can cause null-ptr-deref in copy_bio_to_actor()
or out-of-bounds accesses in the next sanity checks inside
squashfs_read_xattr_id_table().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: ff49cace7b8cf00d27665f7536a863d406963d06 Version: a8717b34003f4f7353b23826617ad872f85d85d8 Version: 3654a0ed0bdc6d70502bfc7c9fec9f1e243dfcad Version: bddcce15cd1fb9675ddd46a76d8fe2d0a571313b Version: 506220d2ba21791314af569211ffd8870b8208fa Version: 506220d2ba21791314af569211ffd8870b8208fa Version: 506220d2ba21791314af569211ffd8870b8208fa Version: 91d4f4d0d7bcd6abd9f9288ff40f4edc716f3d4b Version: eca93bf20f70e0f78c8c28720951942f61a49117 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/xattr_id.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cf5d6612092408157db6bb500c70bf6d67c40fbc",
"status": "affected",
"version": "ff49cace7b8cf00d27665f7536a863d406963d06",
"versionType": "git"
},
{
"lessThan": "b30a74f83265c24d1d0842c6c3928cd2e775a3fb",
"status": "affected",
"version": "a8717b34003f4f7353b23826617ad872f85d85d8",
"versionType": "git"
},
{
"lessThan": "db76fc535fbdfbf29fd0b93e49627537ad794c8c",
"status": "affected",
"version": "3654a0ed0bdc6d70502bfc7c9fec9f1e243dfcad",
"versionType": "git"
},
{
"lessThan": "de2785aa3448d1ee7be3ab47fd4a873025f1b3d7",
"status": "affected",
"version": "bddcce15cd1fb9675ddd46a76d8fe2d0a571313b",
"versionType": "git"
},
{
"lessThan": "b7398efe24a965cf3937b716c0b1011c201c5d6e",
"status": "affected",
"version": "506220d2ba21791314af569211ffd8870b8208fa",
"versionType": "git"
},
{
"lessThan": "29e774dcb27116c06b9c57b1f1f14a1623738989",
"status": "affected",
"version": "506220d2ba21791314af569211ffd8870b8208fa",
"versionType": "git"
},
{
"lessThan": "72e544b1b28325fe78a4687b980871a7e4101f76",
"status": "affected",
"version": "506220d2ba21791314af569211ffd8870b8208fa",
"versionType": "git"
},
{
"status": "affected",
"version": "91d4f4d0d7bcd6abd9f9288ff40f4edc716f3d4b",
"versionType": "git"
},
{
"status": "affected",
"version": "eca93bf20f70e0f78c8c28720951942f61a49117",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/xattr_id.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"versionStartIncluding": "4.14.222",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"versionStartIncluding": "4.19.176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "5.4.98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.10.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.258",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.258",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsquashfs: harden sanity check in squashfs_read_xattr_id_table\n\nWhile mounting a corrupted filesystem, a signed integer \u0027*xattr_ids\u0027 can\nbecome less than zero. This leads to the incorrect computation of \u0027len\u0027\nand \u0027indexes\u0027 values which can cause null-ptr-deref in copy_bio_to_actor()\nor out-of-bounds accesses in the next sanity checks inside\nsquashfs_read_xattr_id_table().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:59.583Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cf5d6612092408157db6bb500c70bf6d67c40fbc"
},
{
"url": "https://git.kernel.org/stable/c/b30a74f83265c24d1d0842c6c3928cd2e775a3fb"
},
{
"url": "https://git.kernel.org/stable/c/db76fc535fbdfbf29fd0b93e49627537ad794c8c"
},
{
"url": "https://git.kernel.org/stable/c/de2785aa3448d1ee7be3ab47fd4a873025f1b3d7"
},
{
"url": "https://git.kernel.org/stable/c/b7398efe24a965cf3937b716c0b1011c201c5d6e"
},
{
"url": "https://git.kernel.org/stable/c/29e774dcb27116c06b9c57b1f1f14a1623738989"
},
{
"url": "https://git.kernel.org/stable/c/72e544b1b28325fe78a4687b980871a7e4101f76"
}
],
"title": "squashfs: harden sanity check in squashfs_read_xattr_id_table",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52979",
"datePublished": "2025-03-27T16:43:18.882Z",
"dateReserved": "2025-03-27T16:40:15.739Z",
"dateUpdated": "2025-05-04T12:49:59.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21878 (GCVE-0-2025-21878)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: npcm: disable interrupt enable bit before devm_request_irq
The customer reports that there is a soft lockup issue related to
the i2c driver. After checking, the i2c module was doing a tx transfer
and the bmc machine reboots in the middle of the i2c transaction, the i2c
module keeps the status without being reset.
Due to such an i2c module status, the i2c irq handler keeps getting
triggered since the i2c irq handler is registered in the kernel booting
process after the bmc machine is doing a warm rebooting.
The continuous triggering is stopped by the soft lockup watchdog timer.
Disable the interrupt enable bit in the i2c module before calling
devm_request_irq to fix this issue since the i2c relative status bit
is read-only.
Here is the soft lockup log.
[ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1]
[ 28.183351] Modules linked in:
[ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1
[ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 28.208128] pc : __do_softirq+0xb0/0x368
[ 28.212055] lr : __do_softirq+0x70/0x368
[ 28.215972] sp : ffffff8035ebca00
[ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780
[ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0
[ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b
[ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff
[ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000
[ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2
[ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250
[ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434
[ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198
[ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40
[ 28.290611] Call trace:
[ 28.293052] __do_softirq+0xb0/0x368
[ 28.296625] __irq_exit_rcu+0xe0/0x100
[ 28.300374] irq_exit+0x14/0x20
[ 28.303513] handle_domain_irq+0x68/0x90
[ 28.307440] gic_handle_irq+0x78/0xb0
[ 28.311098] call_on_irq_stack+0x20/0x38
[ 28.315019] do_interrupt_handler+0x54/0x5c
[ 28.319199] el1_interrupt+0x2c/0x4c
[ 28.322777] el1h_64_irq_handler+0x14/0x20
[ 28.326872] el1h_64_irq+0x74/0x78
[ 28.330269] __setup_irq+0x454/0x780
[ 28.333841] request_threaded_irq+0xd0/0x1b4
[ 28.338107] devm_request_threaded_irq+0x84/0x100
[ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0
[ 28.346990] platform_probe+0x6c/0xc4
[ 28.350653] really_probe+0xcc/0x45c
[ 28.354227] __driver_probe_device+0x8c/0x160
[ 28.358578] driver_probe_device+0x44/0xe0
[ 28.362670] __driver_attach+0x124/0x1d0
[ 28.366589] bus_for_each_dev+0x7c/0xe0
[ 28.370426] driver_attach+0x28/0x30
[ 28.373997] bus_add_driver+0x124/0x240
[ 28.377830] driver_register+0x7c/0x124
[ 28.381662] __platform_driver_register+0x2c/0x34
[ 28.386362] npcm_i2c_init+0x3c/0x5c
[ 28.389937] do_one_initcall+0x74/0x230
[ 28.393768] kernel_init_freeable+0x24c/0x2b4
[ 28.398126] kernel_init+0x28/0x130
[ 28.401614] ret_from_fork+0x10/0x20
[ 28.405189] Kernel panic - not syncing: softlockup: hung tasks
[ 28.411011] SMP: stopping secondary CPUs
[ 28.414933] Kernel Offset: disabled
[ 28.418412] CPU features: 0x00000000,00000802
[ 28.427644] Rebooting in 20 seconds..
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 Version: 56a1485b102ed1cd5a4af8e87ed794699fd1cad2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-npcm7xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f32d7b4dc6e791523c70e83049645dcba2a2aa33",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "e3aea1dba97d31eceed7b622000af0406988b9c8",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "545b563eb00d0576775da4011b3f7ffefc9e8c60",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "12d0e39916705b68d2d8ba20a8e35d1d27afc260",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "846e371631c57365eeb89e5db1ab0f344169af93",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
},
{
"lessThan": "dd1998e243f5fa25d348a384ba0b6c84d980f2b2",
"status": "affected",
"version": "56a1485b102ed1cd5a4af8e87ed794699fd1cad2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-npcm7xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.8"
},
{
"lessThan": "5.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "5.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: npcm: disable interrupt enable bit before devm_request_irq\n\nThe customer reports that there is a soft lockup issue related to\nthe i2c driver. After checking, the i2c module was doing a tx transfer\nand the bmc machine reboots in the middle of the i2c transaction, the i2c\nmodule keeps the status without being reset.\n\nDue to such an i2c module status, the i2c irq handler keeps getting\ntriggered since the i2c irq handler is registered in the kernel booting\nprocess after the bmc machine is doing a warm rebooting.\nThe continuous triggering is stopped by the soft lockup watchdog timer.\n\nDisable the interrupt enable bit in the i2c module before calling\ndevm_request_irq to fix this issue since the i2c relative status bit\nis read-only.\n\nHere is the soft lockup log.\n[ 28.176395] watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:1]\n[ 28.183351] Modules linked in:\n[ 28.186407] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.120-yocto-s-dirty-bbebc78 #1\n[ 28.201174] pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 28.208128] pc : __do_softirq+0xb0/0x368\n[ 28.212055] lr : __do_softirq+0x70/0x368\n[ 28.215972] sp : ffffff8035ebca00\n[ 28.219278] x29: ffffff8035ebca00 x28: 0000000000000002 x27: ffffff80071a3780\n[ 28.226412] x26: ffffffc008bdc000 x25: ffffffc008bcc640 x24: ffffffc008be50c0\n[ 28.233546] x23: ffffffc00800200c x22: 0000000000000000 x21: 000000000000001b\n[ 28.240679] x20: 0000000000000000 x19: ffffff80001c3200 x18: ffffffffffffffff\n[ 28.247812] x17: ffffffc02d2e0000 x16: ffffff8035eb8b40 x15: 00001e8480000000\n[ 28.254945] x14: 02c3647e37dbfcb6 x13: 02c364f2ab14200c x12: 0000000002c364f2\n[ 28.262078] x11: 00000000fa83b2da x10: 000000000000b67e x9 : ffffffc008010250\n[ 28.269211] x8 : 000000009d983d00 x7 : 7fffffffffffffff x6 : 0000036d74732434\n[ 28.276344] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : 0000000000000198\n[ 28.283476] x2 : ffffffc02d2e0000 x1 : 00000000000000e0 x0 : ffffffc008bdcb40\n[ 28.290611] Call trace:\n[ 28.293052] __do_softirq+0xb0/0x368\n[ 28.296625] __irq_exit_rcu+0xe0/0x100\n[ 28.300374] irq_exit+0x14/0x20\n[ 28.303513] handle_domain_irq+0x68/0x90\n[ 28.307440] gic_handle_irq+0x78/0xb0\n[ 28.311098] call_on_irq_stack+0x20/0x38\n[ 28.315019] do_interrupt_handler+0x54/0x5c\n[ 28.319199] el1_interrupt+0x2c/0x4c\n[ 28.322777] el1h_64_irq_handler+0x14/0x20\n[ 28.326872] el1h_64_irq+0x74/0x78\n[ 28.330269] __setup_irq+0x454/0x780\n[ 28.333841] request_threaded_irq+0xd0/0x1b4\n[ 28.338107] devm_request_threaded_irq+0x84/0x100\n[ 28.342809] npcm_i2c_probe_bus+0x188/0x3d0\n[ 28.346990] platform_probe+0x6c/0xc4\n[ 28.350653] really_probe+0xcc/0x45c\n[ 28.354227] __driver_probe_device+0x8c/0x160\n[ 28.358578] driver_probe_device+0x44/0xe0\n[ 28.362670] __driver_attach+0x124/0x1d0\n[ 28.366589] bus_for_each_dev+0x7c/0xe0\n[ 28.370426] driver_attach+0x28/0x30\n[ 28.373997] bus_add_driver+0x124/0x240\n[ 28.377830] driver_register+0x7c/0x124\n[ 28.381662] __platform_driver_register+0x2c/0x34\n[ 28.386362] npcm_i2c_init+0x3c/0x5c\n[ 28.389937] do_one_initcall+0x74/0x230\n[ 28.393768] kernel_init_freeable+0x24c/0x2b4\n[ 28.398126] kernel_init+0x28/0x130\n[ 28.401614] ret_from_fork+0x10/0x20\n[ 28.405189] Kernel panic - not syncing: softlockup: hung tasks\n[ 28.411011] SMP: stopping secondary CPUs\n[ 28.414933] Kernel Offset: disabled\n[ 28.418412] CPU features: 0x00000000,00000802\n[ 28.427644] Rebooting in 20 seconds.."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:10.371Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f32d7b4dc6e791523c70e83049645dcba2a2aa33"
},
{
"url": "https://git.kernel.org/stable/c/e3aea1dba97d31eceed7b622000af0406988b9c8"
},
{
"url": "https://git.kernel.org/stable/c/545b563eb00d0576775da4011b3f7ffefc9e8c60"
},
{
"url": "https://git.kernel.org/stable/c/1b267e1b87d52b16e7dfcc7ab2ab760f6f8f9ca9"
},
{
"url": "https://git.kernel.org/stable/c/12d0e39916705b68d2d8ba20a8e35d1d27afc260"
},
{
"url": "https://git.kernel.org/stable/c/846e371631c57365eeb89e5db1ab0f344169af93"
},
{
"url": "https://git.kernel.org/stable/c/dd1998e243f5fa25d348a384ba0b6c84d980f2b2"
}
],
"title": "i2c: npcm: disable interrupt enable bit before devm_request_irq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21878",
"datePublished": "2025-03-27T14:57:08.155Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:10.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52930 (GCVE-0-2023-52930)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix potential bit_17 double-free
A userspace with multiple threads racing I915_GEM_SET_TILING to set the
tiling to I915_TILING_NONE could trigger a double free of the bit_17
bitmask. (Or conversely leak memory on the transition to tiled.) Move
allocation/free'ing of the bitmask within the section protected by the
obj lock.
[tursulin: Correct fixes tag and added cc stable.]
(cherry picked from commit 10e0cbaaf1104f449d695c80bcacf930dcd3c42e)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_tiling.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b591abac78e25269b12e3d7170c99463f8c5cb02",
"status": "affected",
"version": "2850748ef8763ab46958e43a4d1c445f29eeb37d",
"versionType": "git"
},
{
"lessThan": "e3ebc3e23bd9028a8a9a26cbc5985f99be445f65",
"status": "affected",
"version": "2850748ef8763ab46958e43a4d1c445f29eeb37d",
"versionType": "git"
},
{
"lessThan": "0769f997a7b6d5cb8336db0b4ec3d2d311b8097c",
"status": "affected",
"version": "2850748ef8763ab46958e43a4d1c445f29eeb37d",
"versionType": "git"
},
{
"lessThan": "7057a8f126f14f14b040faecfa220fd27c6c2f85",
"status": "affected",
"version": "2850748ef8763ab46958e43a4d1c445f29eeb37d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_tiling.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix potential bit_17 double-free\n\nA userspace with multiple threads racing I915_GEM_SET_TILING to set the\ntiling to I915_TILING_NONE could trigger a double free of the bit_17\nbitmask. (Or conversely leak memory on the transition to tiled.) Move\nallocation/free\u0027ing of the bitmask within the section protected by the\nobj lock.\n\n[tursulin: Correct fixes tag and added cc stable.]\n(cherry picked from commit 10e0cbaaf1104f449d695c80bcacf930dcd3c42e)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:14.069Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b591abac78e25269b12e3d7170c99463f8c5cb02"
},
{
"url": "https://git.kernel.org/stable/c/e3ebc3e23bd9028a8a9a26cbc5985f99be445f65"
},
{
"url": "https://git.kernel.org/stable/c/0769f997a7b6d5cb8336db0b4ec3d2d311b8097c"
},
{
"url": "https://git.kernel.org/stable/c/7057a8f126f14f14b040faecfa220fd27c6c2f85"
}
],
"title": "drm/i915: Fix potential bit_17 double-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52930",
"datePublished": "2025-03-27T16:37:12.302Z",
"dateReserved": "2024-08-21T06:07:11.019Z",
"dateUpdated": "2025-05-04T07:46:14.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49761 (GCVE-0-2022-49761)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: always report error in run_one_delayed_ref()
Currently we have a btrfs_debug() for run_one_delayed_ref() failure, but
if end users hit such problem, there will be no chance that
btrfs_debug() is enabled. This can lead to very little useful info for
debugging.
This patch will:
- Add extra info for error reporting
Including:
* logical bytenr
* num_bytes
* type
* action
* ref_mod
- Replace the btrfs_debug() with btrfs_err()
- Move the error reporting into run_one_delayed_ref()
This is to avoid use-after-free, the @node can be freed in the caller.
This error should only be triggered at most once.
As if run_one_delayed_ref() failed, we trigger the error message, then
causing the call chain to error out:
btrfs_run_delayed_refs()
`- btrfs_run_delayed_refs()
`- btrfs_run_delayed_refs_for_head()
`- run_one_delayed_ref()
And we will abort the current transaction in btrfs_run_delayed_refs().
If we have to run delayed refs for the abort transaction,
run_one_delayed_ref() will just cleanup the refs and do nothing, thus no
new error messages would be output.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:20:30.780085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:21:57.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "18bd1c9c02e64a3567f90c83c2c8b855531c8098",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "fdb4a70bb768d2a87890409597529ad81cb3de8a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "853ffa1511b058c79a4c9bb1407b3b20ce311792",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "39f501d68ec1ed5cd5c66ac6ec2a7131c517bb92",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent-tree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.165",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: always report error in run_one_delayed_ref()\n\nCurrently we have a btrfs_debug() for run_one_delayed_ref() failure, but\nif end users hit such problem, there will be no chance that\nbtrfs_debug() is enabled. This can lead to very little useful info for\ndebugging.\n\nThis patch will:\n\n- Add extra info for error reporting\n Including:\n * logical bytenr\n * num_bytes\n * type\n * action\n * ref_mod\n\n- Replace the btrfs_debug() with btrfs_err()\n\n- Move the error reporting into run_one_delayed_ref()\n This is to avoid use-after-free, the @node can be freed in the caller.\n\nThis error should only be triggered at most once.\n\nAs if run_one_delayed_ref() failed, we trigger the error message, then\ncausing the call chain to error out:\n\nbtrfs_run_delayed_refs()\n`- btrfs_run_delayed_refs()\n `- btrfs_run_delayed_refs_for_head()\n `- run_one_delayed_ref()\n\nAnd we will abort the current transaction in btrfs_run_delayed_refs().\nIf we have to run delayed refs for the abort transaction,\nrun_one_delayed_ref() will just cleanup the refs and do nothing, thus no\nnew error messages would be output."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:49.588Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/18bd1c9c02e64a3567f90c83c2c8b855531c8098"
},
{
"url": "https://git.kernel.org/stable/c/fdb4a70bb768d2a87890409597529ad81cb3de8a"
},
{
"url": "https://git.kernel.org/stable/c/853ffa1511b058c79a4c9bb1407b3b20ce311792"
},
{
"url": "https://git.kernel.org/stable/c/39f501d68ec1ed5cd5c66ac6ec2a7131c517bb92"
}
],
"title": "btrfs: always report error in run_one_delayed_ref()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49761",
"datePublished": "2025-03-27T16:43:07.633Z",
"dateReserved": "2025-03-27T16:39:17.990Z",
"dateUpdated": "2025-05-04T08:44:49.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52997 (GCVE-0-2023-52997)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()
if (!type)
continue;
if (type > RTAX_MAX)
return -EINVAL;
...
metrics[type - 1] = val;
@type being used as an array index, we need to prevent
cpu speculation or risk leaking kernel memory content.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 6cf9dfd3bd62edfff69f11c0f111bc261166e4c7 Version: 6cf9dfd3bd62edfff69f11c0f111bc261166e4c7 Version: 6cf9dfd3bd62edfff69f11c0f111bc261166e4c7 Version: 6cf9dfd3bd62edfff69f11c0f111bc261166e4c7 Version: 6cf9dfd3bd62edfff69f11c0f111bc261166e4c7 Version: 6cf9dfd3bd62edfff69f11c0f111bc261166e4c7 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv4/metrics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ef050cf5fb70d995a0d03244e25179b7c66a924a",
"status": "affected",
"version": "6cf9dfd3bd62edfff69f11c0f111bc261166e4c7",
"versionType": "git"
},
{
"lessThan": "746db9ec1e672eee13965625ddac0d97e16fa20c",
"status": "affected",
"version": "6cf9dfd3bd62edfff69f11c0f111bc261166e4c7",
"versionType": "git"
},
{
"lessThan": "34c6142f0df9cd75cba5a7aa9df0960d2854b415",
"status": "affected",
"version": "6cf9dfd3bd62edfff69f11c0f111bc261166e4c7",
"versionType": "git"
},
{
"lessThan": "d50e7348b44f1e046121ff5be01b7fb6978a1149",
"status": "affected",
"version": "6cf9dfd3bd62edfff69f11c0f111bc261166e4c7",
"versionType": "git"
},
{
"lessThan": "6850fe301d015a7d2012d1de8caf43dafb7cc2f6",
"status": "affected",
"version": "6cf9dfd3bd62edfff69f11c0f111bc261166e4c7",
"versionType": "git"
},
{
"lessThan": "1d1d63b612801b3f0a39b7d4467cad0abd60e5c8",
"status": "affected",
"version": "6cf9dfd3bd62edfff69f11c0f111bc261166e4c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv4/metrics.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.3"
},
{
"lessThan": "4.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: prevent potential spectre v1 gadget in ip_metrics_convert()\n\nif (!type)\n\t\tcontinue;\n\tif (type \u003e RTAX_MAX)\n\t\treturn -EINVAL;\n\t...\n\tmetrics[type - 1] = val;\n\n@type being used as an array index, we need to prevent\ncpu speculation or risk leaking kernel memory content."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:11.359Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ef050cf5fb70d995a0d03244e25179b7c66a924a"
},
{
"url": "https://git.kernel.org/stable/c/746db9ec1e672eee13965625ddac0d97e16fa20c"
},
{
"url": "https://git.kernel.org/stable/c/34c6142f0df9cd75cba5a7aa9df0960d2854b415"
},
{
"url": "https://git.kernel.org/stable/c/d50e7348b44f1e046121ff5be01b7fb6978a1149"
},
{
"url": "https://git.kernel.org/stable/c/6850fe301d015a7d2012d1de8caf43dafb7cc2f6"
},
{
"url": "https://git.kernel.org/stable/c/1d1d63b612801b3f0a39b7d4467cad0abd60e5c8"
}
],
"title": "ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52997",
"datePublished": "2025-03-27T16:43:31.164Z",
"dateReserved": "2025-03-27T16:40:15.742Z",
"dateUpdated": "2025-05-04T07:47:11.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52976 (GCVE-0-2023-52976)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
efi: fix potential NULL deref in efi_mem_reserve_persistent
When iterating on a linked list, a result of memremap is dereferenced
without checking it for NULL.
This patch adds a check that falls back on allocating a new page in
case memremap doesn't succeed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
[ardb: return -ENOMEM instead of breaking out of the loop]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 18df7577adae6c6c778bf774b3aebcacbc1fb439 Version: 18df7577adae6c6c778bf774b3aebcacbc1fb439 Version: 18df7577adae6c6c778bf774b3aebcacbc1fb439 Version: 18df7577adae6c6c778bf774b3aebcacbc1fb439 Version: 18df7577adae6c6c778bf774b3aebcacbc1fb439 Version: b5961ecad7121fec138ebee7d9eba4863f9dc6e7 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d92a25627bcdf264183670da73c9a60c0bac327e",
"status": "affected",
"version": "18df7577adae6c6c778bf774b3aebcacbc1fb439",
"versionType": "git"
},
{
"lessThan": "87d4ff18738fd71e7e3c10827c80257da6283697",
"status": "affected",
"version": "18df7577adae6c6c778bf774b3aebcacbc1fb439",
"versionType": "git"
},
{
"lessThan": "d8fc0b5fb3e816a4a8684bcd3ed02cbef0fce23c",
"status": "affected",
"version": "18df7577adae6c6c778bf774b3aebcacbc1fb439",
"versionType": "git"
},
{
"lessThan": "a2e6a9ff89f13666a1c3ff7195612ab949ea9afc",
"status": "affected",
"version": "18df7577adae6c6c778bf774b3aebcacbc1fb439",
"versionType": "git"
},
{
"lessThan": "966d47e1f27c45507c5df82b2a2157e5a4fd3909",
"status": "affected",
"version": "18df7577adae6c6c778bf774b3aebcacbc1fb439",
"versionType": "git"
},
{
"status": "affected",
"version": "b5961ecad7121fec138ebee7d9eba4863f9dc6e7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/efi/efi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.1.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix potential NULL deref in efi_mem_reserve_persistent\n\nWhen iterating on a linked list, a result of memremap is dereferenced\nwithout checking it for NULL.\n\nThis patch adds a check that falls back on allocating a new page in\ncase memremap doesn\u0027t succeed.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[ardb: return -ENOMEM instead of breaking out of the loop]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:57.192Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d92a25627bcdf264183670da73c9a60c0bac327e"
},
{
"url": "https://git.kernel.org/stable/c/87d4ff18738fd71e7e3c10827c80257da6283697"
},
{
"url": "https://git.kernel.org/stable/c/d8fc0b5fb3e816a4a8684bcd3ed02cbef0fce23c"
},
{
"url": "https://git.kernel.org/stable/c/a2e6a9ff89f13666a1c3ff7195612ab949ea9afc"
},
{
"url": "https://git.kernel.org/stable/c/966d47e1f27c45507c5df82b2a2157e5a4fd3909"
}
],
"title": "efi: fix potential NULL deref in efi_mem_reserve_persistent",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52976",
"datePublished": "2025-03-27T16:43:16.596Z",
"dateReserved": "2025-03-27T16:40:15.738Z",
"dateUpdated": "2025-05-04T12:49:57.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49746 (GCVE-0-2022-49746)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init
If the function sdma_load_context() fails, the sdma_desc will be
freed, but the allocated desc->bd is forgot to be freed.
We already met the sdma_load_context() failure case and the log as
below:
[ 450.699064] imx-sdma 30bd0000.dma-controller: Timeout waiting for CH0 ready
...
In this case, the desc->bd will not be freed without this change.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/imx-sdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "80ee99e52936b2c04cc37b17a14b2ae2f9d282ac",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "dbe634ce824329d8f14079c3e9f8f11670894bec",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "bd0050b7ffa87c7b260d563646af612f4112a778",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "43acd767bd90c5d4172ce7fee5d9007a9a08dea9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "ce4745a6b8016fae74c95dcd457d4ceef7d98af1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1417f59ac0b02130ee56c0c50794b9b257be3d17",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/imx-sdma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.167",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init\n\nIf the function sdma_load_context() fails, the sdma_desc will be\nfreed, but the allocated desc-\u003ebd is forgot to be freed.\n\nWe already met the sdma_load_context() failure case and the log as\nbelow:\n[ 450.699064] imx-sdma 30bd0000.dma-controller: Timeout waiting for CH0 ready\n...\n\nIn this case, the desc-\u003ebd will not be freed without this change."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:29.880Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/80ee99e52936b2c04cc37b17a14b2ae2f9d282ac"
},
{
"url": "https://git.kernel.org/stable/c/dbe634ce824329d8f14079c3e9f8f11670894bec"
},
{
"url": "https://git.kernel.org/stable/c/bd0050b7ffa87c7b260d563646af612f4112a778"
},
{
"url": "https://git.kernel.org/stable/c/43acd767bd90c5d4172ce7fee5d9007a9a08dea9"
},
{
"url": "https://git.kernel.org/stable/c/ce4745a6b8016fae74c95dcd457d4ceef7d98af1"
},
{
"url": "https://git.kernel.org/stable/c/1417f59ac0b02130ee56c0c50794b9b257be3d17"
}
],
"title": "dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49746",
"datePublished": "2025-03-27T16:42:56.372Z",
"dateReserved": "2025-03-27T16:39:17.987Z",
"dateUpdated": "2025-05-04T08:44:29.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52990 (GCVE-0-2023-52990)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-04-01T14:49:30.437Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52990",
"datePublished": "2025-03-27T16:43:26.329Z",
"dateRejected": "2025-04-01T14:49:30.437Z",
"dateReserved": "2025-03-27T16:40:15.741Z",
"dateUpdated": "2025-04-01T14:49:30.437Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52935 (GCVE-0-2023-52935)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/khugepaged: fix ->anon_vma race
If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires
it to be locked.
Page table traversal is allowed under any one of the mmap lock, the
anon_vma lock (if the VMA is associated with an anon_vma), and the
mapping lock (if the VMA is associated with a mapping); and so to be
able to remove page tables, we must hold all three of them.
retract_page_tables() bails out if an ->anon_vma is attached, but does
this check before holding the mmap lock (as the comment above the check
explains).
If we racily merged an existing ->anon_vma (shared with a child
process) from a neighboring VMA, subsequent rmap traversals on pages
belonging to the child will be able to see the page tables that we are
concurrently removing while assuming that nothing else can access them.
Repeat the ->anon_vma check once we hold the mmap lock to ensure that
there really is no concurrent page table access.
Hitting this bug causes a lockdep warning in collapse_and_free_pmd(),
in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)".
It can also lead to use-after-free access.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:22:40.271006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:31:59.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/khugepaged.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "acb08187b5a83cdb9ac4112fae9e18cf983b0128",
"status": "affected",
"version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
"versionType": "git"
},
{
"lessThan": "023f47a8250c6bdb4aebe744db4bf7f73414028b",
"status": "affected",
"version": "f3f0e1d2150b2b99da2cbdfaad000089efe9bf30",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/khugepaged.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/khugepaged: fix -\u003eanon_vma race\n\nIf an -\u003eanon_vma is attached to the VMA, collapse_and_free_pmd() requires\nit to be locked.\n\nPage table traversal is allowed under any one of the mmap lock, the\nanon_vma lock (if the VMA is associated with an anon_vma), and the\nmapping lock (if the VMA is associated with a mapping); and so to be\nable to remove page tables, we must hold all three of them. \nretract_page_tables() bails out if an -\u003eanon_vma is attached, but does\nthis check before holding the mmap lock (as the comment above the check\nexplains).\n\nIf we racily merged an existing -\u003eanon_vma (shared with a child\nprocess) from a neighboring VMA, subsequent rmap traversals on pages\nbelonging to the child will be able to see the page tables that we are\nconcurrently removing while assuming that nothing else can access them.\n\nRepeat the -\u003eanon_vma check once we hold the mmap lock to ensure that\nthere really is no concurrent page table access.\n\nHitting this bug causes a lockdep warning in collapse_and_free_pmd(),\nin the line \"lockdep_assert_held_write(\u0026vma-\u003eanon_vma-\u003eroot-\u003erwsem)\". \nIt can also lead to use-after-free access."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:20.196Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/acb08187b5a83cdb9ac4112fae9e18cf983b0128"
},
{
"url": "https://git.kernel.org/stable/c/023f47a8250c6bdb4aebe744db4bf7f73414028b"
}
],
"title": "mm/khugepaged: fix -\u003eanon_vma race",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52935",
"datePublished": "2025-03-27T16:37:15.505Z",
"dateReserved": "2024-08-21T06:07:11.020Z",
"dateUpdated": "2025-05-04T07:46:20.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52985 (GCVE-0-2023-52985)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
arm64: dts: imx8mm-verdin: Do not power down eth-phy
Currently if suspending using either freeze or memory state, the fec
driver tries to power down the phy which leads to crash of the kernel
and non-responsible kernel with the following call trace:
[ 24.839889 ] Call trace:
[ 24.839892 ] phy_error+0x18/0x60
[ 24.839898 ] kszphy_handle_interrupt+0x6c/0x80
[ 24.839903 ] phy_interrupt+0x20/0x2c
[ 24.839909 ] irq_thread_fn+0x30/0xa0
[ 24.839919 ] irq_thread+0x178/0x2c0
[ 24.839925 ] kthread+0x154/0x160
[ 24.839932 ] ret_from_fork+0x10/0x20
Since there is currently no functionality in the phy subsystem to power
down phys let's just disable the feature of powering-down the ethernet
phy.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bdd5a7b517f16fdffc444be6516c45788548d08",
"status": "affected",
"version": "6a57f224f7346c8d23596f2ef1ce360669926f54",
"versionType": "git"
},
{
"lessThan": "39c95d0c357d7ef76aea958c1bece6b24f9b2e7e",
"status": "affected",
"version": "6a57f224f7346c8d23596f2ef1ce360669926f54",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/arm64/boot/dts/freescale/imx8mm-verdin.dtsi"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: dts: imx8mm-verdin: Do not power down eth-phy\n\nCurrently if suspending using either freeze or memory state, the fec\ndriver tries to power down the phy which leads to crash of the kernel\nand non-responsible kernel with the following call trace:\n\n[ 24.839889 ] Call trace:\n[ 24.839892 ] phy_error+0x18/0x60\n[ 24.839898 ] kszphy_handle_interrupt+0x6c/0x80\n[ 24.839903 ] phy_interrupt+0x20/0x2c\n[ 24.839909 ] irq_thread_fn+0x30/0xa0\n[ 24.839919 ] irq_thread+0x178/0x2c0\n[ 24.839925 ] kthread+0x154/0x160\n[ 24.839932 ] ret_from_fork+0x10/0x20\n\nSince there is currently no functionality in the phy subsystem to power\ndown phys let\u0027s just disable the feature of powering-down the ethernet\nphy."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:56.701Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bdd5a7b517f16fdffc444be6516c45788548d08"
},
{
"url": "https://git.kernel.org/stable/c/39c95d0c357d7ef76aea958c1bece6b24f9b2e7e"
}
],
"title": "arm64: dts: imx8mm-verdin: Do not power down eth-phy",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52985",
"datePublished": "2025-03-27T16:43:22.975Z",
"dateReserved": "2025-03-27T16:40:15.741Z",
"dateUpdated": "2025-05-04T07:46:56.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49759 (GCVE-0-2022-49759)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
VMCI: Use threaded irqs instead of tasklets
The vmci_dispatch_dgs() tasklet function calls vmci_read_data()
which uses wait_event() resulting in invalid sleep in an atomic
context (and therefore potentially in a deadlock).
Use threaded irqs to fix this issue and completely remove usage
of tasklets.
[ 20.264639] BUG: sleeping function called from invalid context at drivers/misc/vmw_vmci/vmci_guest.c:145
[ 20.264643] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 762, name: vmtoolsd
[ 20.264645] preempt_count: 101, expected: 0
[ 20.264646] RCU nest depth: 0, expected: 0
[ 20.264647] 1 lock held by vmtoolsd/762:
[ 20.264648] #0: ffff0000874ae440 (sk_lock-AF_VSOCK){+.+.}-{0:0}, at: vsock_connect+0x60/0x330 [vsock]
[ 20.264658] Preemption disabled at:
[ 20.264659] [<ffff80000151d7d8>] vmci_send_datagram+0x44/0xa0 [vmw_vmci]
[ 20.264665] CPU: 0 PID: 762 Comm: vmtoolsd Not tainted 5.19.0-0.rc8.20220727git39c3c396f813.60.fc37.aarch64 #1
[ 20.264667] Hardware name: VMware, Inc. VBSA/VBSA, BIOS VEFI 12/31/2020
[ 20.264668] Call trace:
[ 20.264669] dump_backtrace+0xc4/0x130
[ 20.264672] show_stack+0x24/0x80
[ 20.264673] dump_stack_lvl+0x88/0xb4
[ 20.264676] dump_stack+0x18/0x34
[ 20.264677] __might_resched+0x1a0/0x280
[ 20.264679] __might_sleep+0x58/0x90
[ 20.264681] vmci_read_data+0x74/0x120 [vmw_vmci]
[ 20.264683] vmci_dispatch_dgs+0x64/0x204 [vmw_vmci]
[ 20.264686] tasklet_action_common.constprop.0+0x13c/0x150
[ 20.264688] tasklet_action+0x40/0x50
[ 20.264689] __do_softirq+0x23c/0x6b4
[ 20.264690] __irq_exit_rcu+0x104/0x214
[ 20.264691] irq_exit_rcu+0x1c/0x50
[ 20.264693] el1_interrupt+0x38/0x6c
[ 20.264695] el1h_64_irq_handler+0x18/0x24
[ 20.264696] el1h_64_irq+0x68/0x6c
[ 20.264697] preempt_count_sub+0xa4/0xe0
[ 20.264698] _raw_spin_unlock_irqrestore+0x64/0xb0
[ 20.264701] vmci_send_datagram+0x7c/0xa0 [vmw_vmci]
[ 20.264703] vmci_datagram_dispatch+0x84/0x100 [vmw_vmci]
[ 20.264706] vmci_datagram_send+0x2c/0x40 [vmw_vmci]
[ 20.264709] vmci_transport_send_control_pkt+0xb8/0x120 [vmw_vsock_vmci_transport]
[ 20.264711] vmci_transport_connect+0x40/0x7c [vmw_vsock_vmci_transport]
[ 20.264713] vsock_connect+0x278/0x330 [vsock]
[ 20.264715] __sys_connect_file+0x8c/0xc0
[ 20.264718] __sys_connect+0x84/0xb4
[ 20.264720] __arm64_sys_connect+0x2c/0x3c
[ 20.264721] invoke_syscall+0x78/0x100
[ 20.264723] el0_svc_common.constprop.0+0x68/0x124
[ 20.264724] do_el0_svc+0x38/0x4c
[ 20.264725] el0_svc+0x60/0x180
[ 20.264726] el0t_64_sync_handler+0x11c/0x150
[ 20.264728] el0t_64_sync+0x190/0x194
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_guest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "548ea9dd5e01b0ecf53d2563004c80abd636743d",
"status": "affected",
"version": "463713eb6164b6577f8e91447c7745628215531b",
"versionType": "git"
},
{
"lessThan": "3daed6345d5880464f46adab871d208e1baa2f3a",
"status": "affected",
"version": "463713eb6164b6577f8e91447c7745628215531b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/misc/vmw_vmci/vmci_guest.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.8",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Use threaded irqs instead of tasklets\n\nThe vmci_dispatch_dgs() tasklet function calls vmci_read_data()\nwhich uses wait_event() resulting in invalid sleep in an atomic\ncontext (and therefore potentially in a deadlock).\n\nUse threaded irqs to fix this issue and completely remove usage\nof tasklets.\n\n[ 20.264639] BUG: sleeping function called from invalid context at drivers/misc/vmw_vmci/vmci_guest.c:145\n[ 20.264643] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 762, name: vmtoolsd\n[ 20.264645] preempt_count: 101, expected: 0\n[ 20.264646] RCU nest depth: 0, expected: 0\n[ 20.264647] 1 lock held by vmtoolsd/762:\n[ 20.264648] #0: ffff0000874ae440 (sk_lock-AF_VSOCK){+.+.}-{0:0}, at: vsock_connect+0x60/0x330 [vsock]\n[ 20.264658] Preemption disabled at:\n[ 20.264659] [\u003cffff80000151d7d8\u003e] vmci_send_datagram+0x44/0xa0 [vmw_vmci]\n[ 20.264665] CPU: 0 PID: 762 Comm: vmtoolsd Not tainted 5.19.0-0.rc8.20220727git39c3c396f813.60.fc37.aarch64 #1\n[ 20.264667] Hardware name: VMware, Inc. VBSA/VBSA, BIOS VEFI 12/31/2020\n[ 20.264668] Call trace:\n[ 20.264669] dump_backtrace+0xc4/0x130\n[ 20.264672] show_stack+0x24/0x80\n[ 20.264673] dump_stack_lvl+0x88/0xb4\n[ 20.264676] dump_stack+0x18/0x34\n[ 20.264677] __might_resched+0x1a0/0x280\n[ 20.264679] __might_sleep+0x58/0x90\n[ 20.264681] vmci_read_data+0x74/0x120 [vmw_vmci]\n[ 20.264683] vmci_dispatch_dgs+0x64/0x204 [vmw_vmci]\n[ 20.264686] tasklet_action_common.constprop.0+0x13c/0x150\n[ 20.264688] tasklet_action+0x40/0x50\n[ 20.264689] __do_softirq+0x23c/0x6b4\n[ 20.264690] __irq_exit_rcu+0x104/0x214\n[ 20.264691] irq_exit_rcu+0x1c/0x50\n[ 20.264693] el1_interrupt+0x38/0x6c\n[ 20.264695] el1h_64_irq_handler+0x18/0x24\n[ 20.264696] el1h_64_irq+0x68/0x6c\n[ 20.264697] preempt_count_sub+0xa4/0xe0\n[ 20.264698] _raw_spin_unlock_irqrestore+0x64/0xb0\n[ 20.264701] vmci_send_datagram+0x7c/0xa0 [vmw_vmci]\n[ 20.264703] vmci_datagram_dispatch+0x84/0x100 [vmw_vmci]\n[ 20.264706] vmci_datagram_send+0x2c/0x40 [vmw_vmci]\n[ 20.264709] vmci_transport_send_control_pkt+0xb8/0x120 [vmw_vsock_vmci_transport]\n[ 20.264711] vmci_transport_connect+0x40/0x7c [vmw_vsock_vmci_transport]\n[ 20.264713] vsock_connect+0x278/0x330 [vsock]\n[ 20.264715] __sys_connect_file+0x8c/0xc0\n[ 20.264718] __sys_connect+0x84/0xb4\n[ 20.264720] __arm64_sys_connect+0x2c/0x3c\n[ 20.264721] invoke_syscall+0x78/0x100\n[ 20.264723] el0_svc_common.constprop.0+0x68/0x124\n[ 20.264724] do_el0_svc+0x38/0x4c\n[ 20.264725] el0_svc+0x60/0x180\n[ 20.264726] el0t_64_sync_handler+0x11c/0x150\n[ 20.264728] el0t_64_sync+0x190/0x194"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:47.306Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/548ea9dd5e01b0ecf53d2563004c80abd636743d"
},
{
"url": "https://git.kernel.org/stable/c/3daed6345d5880464f46adab871d208e1baa2f3a"
}
],
"title": "VMCI: Use threaded irqs instead of tasklets",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49759",
"datePublished": "2025-03-27T16:43:06.197Z",
"dateReserved": "2025-03-27T16:39:17.990Z",
"dateUpdated": "2025-05-04T08:44:47.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52989 (GCVE-0-2023-52989)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region
This patch is fix for Linux kernel v2.6.33 or later.
For request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem
have had an issue of use-after-free. The subsystem allows multiple
user space listeners to the region, while data of the payload was likely
released before the listeners execute read(2) to access to it for copying
to user space.
The issue was fixed by a commit 281e20323ab7 ("firewire: core: fix
use-after-free regression in FCP handler"). The object of payload is
duplicated in kernel space for each listener. When the listener executes
ioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to
be released.
However, it causes memory leak since the commit relies on call of
release_request() in drivers/firewire/core-cdev.c. Against the
expectation, the function is never called due to the design of
release_client_resource(). The function delegates release task
to caller when called with non-NULL fourth argument. The implementation
of ioctl_send_response() is the case. It should release the object
explicitly.
This commit fixes the bug.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 Version: 281e20323ab72180137824a298ee9e21e6f9acf6 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firewire/core-cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b2cd3947d116bb9ba7ff097b5fc747a8956764db",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "356ff89acdbe6a66019154bc7eb2d300f5b15103",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "53785fd9b315583cf029e39f72b73d23704a2253",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "c8bdc88216f09cb7387fedbdf613524367328616",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
},
{
"lessThan": "531390a243ef47448f8bad01c186c2787666bf4d",
"status": "affected",
"version": "281e20323ab72180137824a298ee9e21e6f9acf6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firewire/core-cdev.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.33"
},
{
"lessThan": "2.6.33",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "2.6.33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region\n\nThis patch is fix for Linux kernel v2.6.33 or later.\n\nFor request subaction to IEC 61883-1 FCP region, Linux FireWire subsystem\nhave had an issue of use-after-free. The subsystem allows multiple\nuser space listeners to the region, while data of the payload was likely\nreleased before the listeners execute read(2) to access to it for copying\nto user space.\n\nThe issue was fixed by a commit 281e20323ab7 (\"firewire: core: fix\nuse-after-free regression in FCP handler\"). The object of payload is\nduplicated in kernel space for each listener. When the listener executes\nioctl(2) with FW_CDEV_IOC_SEND_RESPONSE request, the object is going to\nbe released.\n\nHowever, it causes memory leak since the commit relies on call of\nrelease_request() in drivers/firewire/core-cdev.c. Against the\nexpectation, the function is never called due to the design of\nrelease_client_resource(). The function delegates release task\nto caller when called with non-NULL fourth argument. The implementation\nof ioctl_send_response() is the case. It should release the object\nexplicitly.\n\nThis commit fixes the bug."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:01.624Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b2cd3947d116bb9ba7ff097b5fc747a8956764db"
},
{
"url": "https://git.kernel.org/stable/c/356ff89acdbe6a66019154bc7eb2d300f5b15103"
},
{
"url": "https://git.kernel.org/stable/c/53785fd9b315583cf029e39f72b73d23704a2253"
},
{
"url": "https://git.kernel.org/stable/c/d5a2dcee53fa6e6e2822f93cb3f1b0cd23163bee"
},
{
"url": "https://git.kernel.org/stable/c/5f4543c9382ae2d5062f6aa4fecae0c9258d0b0e"
},
{
"url": "https://git.kernel.org/stable/c/c8bdc88216f09cb7387fedbdf613524367328616"
},
{
"url": "https://git.kernel.org/stable/c/531390a243ef47448f8bad01c186c2787666bf4d"
}
],
"title": "firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52989",
"datePublished": "2025-03-27T16:43:25.684Z",
"dateReserved": "2025-03-27T16:40:15.741Z",
"dateUpdated": "2025-05-04T07:47:01.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52980 (GCVE-0-2023-52980)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: ublk: extending queue_size to fix overflow
When validating drafted SPDK ublk target, in a case that
assigning large queue depth to multiqueue ublk device,
ublk target would run into a weird incorrect state. During
rounds of review and debug, An overflow bug was found
in ublk driver.
In ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means
each ublk queue depth can be set as large as 4096. But
when setting qd for a ublk device,
sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io)
will be larger than 65535 if qd is larger than 2728.
Then queue_size is overflowed, and ublk_get_queue()
references a wrong pointer position. The wrong content of
ublk_queue elements will lead to out-of-bounds memory
access.
Extend queue_size in ublk_device as "unsigned int".
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ee1e3fe4b4579f856997190a00ea4db0307b4332",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
},
{
"lessThan": "29baef789c838bd5c02f50c88adbbc6b955aaf61",
"status": "affected",
"version": "71f28f3136aff5890cd56de78abc673f8393cad9",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/block/ublk_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: ublk: extending queue_size to fix overflow\n\nWhen validating drafted SPDK ublk target, in a case that\nassigning large queue depth to multiqueue ublk device,\nublk target would run into a weird incorrect state. During\nrounds of review and debug, An overflow bug was found\nin ublk driver.\n\nIn ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means\neach ublk queue depth can be set as large as 4096. But\nwhen setting qd for a ublk device,\nsizeof(struct ublk_queue) + depth * sizeof(struct ublk_io)\nwill be larger than 65535 if qd is larger than 2728.\nThen queue_size is overflowed, and ublk_get_queue()\nreferences a wrong pointer position. The wrong content of\nublk_queue elements will lead to out-of-bounds memory\naccess.\n\nExtend queue_size in ublk_device as \"unsigned int\"."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:45.012Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ee1e3fe4b4579f856997190a00ea4db0307b4332"
},
{
"url": "https://git.kernel.org/stable/c/29baef789c838bd5c02f50c88adbbc6b955aaf61"
}
],
"title": "block: ublk: extending queue_size to fix overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52980",
"datePublished": "2025-03-27T16:43:19.493Z",
"dateReserved": "2025-03-27T16:40:15.740Z",
"dateUpdated": "2025-05-04T07:46:45.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52978 (GCVE-0-2023-52978)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv: kprobe: Fixup kernel panic when probing an illegal position
The kernel would panic when probed for an illegal position. eg:
(CONFIG_RISCV_ISA_C=n)
echo 'p:hello kernel_clone+0x16 a0=%a0' >> kprobe_events
echo 1 > events/kprobes/hello/enable
cat trace
Kernel panic - not syncing: stack-protector: Kernel stack
is corrupted in: __do_sys_newfstatat+0xb8/0xb8
CPU: 0 PID: 111 Comm: sh Not tainted
6.2.0-rc1-00027-g2d398fe49a4d #490
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80007268>] dump_backtrace+0x38/0x48
[<ffffffff80c5e83c>] show_stack+0x50/0x68
[<ffffffff80c6da28>] dump_stack_lvl+0x60/0x84
[<ffffffff80c6da6c>] dump_stack+0x20/0x30
[<ffffffff80c5ecf4>] panic+0x160/0x374
[<ffffffff80c6db94>] generic_handle_arch_irq+0x0/0xa8
[<ffffffff802deeb0>] sys_newstat+0x0/0x30
[<ffffffff800158c0>] sys_clone+0x20/0x30
[<ffffffff800039e8>] ret_from_syscall+0x0/0x4
---[ end Kernel panic - not syncing: stack-protector:
Kernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 ]---
That is because the kprobe's ebreak instruction broke the kernel's
original code. The user should guarantee the correction of the probe
position, but it couldn't make the kernel panic.
This patch adds arch_check_kprobe in arch_prepare_kprobe to prevent an
illegal position (Such as the middle of an instruction).
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/probes/kprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "04a73558209554da17f46490ec4faaaf1b2bab68",
"status": "affected",
"version": "c22b0bcb1dd024cb9caad9230e3a387d8b061df5",
"versionType": "git"
},
{
"lessThan": "12316538b1d193064109ce1a28fc9bacd43950de",
"status": "affected",
"version": "c22b0bcb1dd024cb9caad9230e3a387d8b061df5",
"versionType": "git"
},
{
"lessThan": "87f48c7ccc73afc78630530d9af51f458f58cab8",
"status": "affected",
"version": "c22b0bcb1dd024cb9caad9230e3a387d8b061df5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/probes/kprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: kprobe: Fixup kernel panic when probing an illegal position\n\nThe kernel would panic when probed for an illegal position. eg:\n\n(CONFIG_RISCV_ISA_C=n)\n\necho \u0027p:hello kernel_clone+0x16 a0=%a0\u0027 \u003e\u003e kprobe_events\necho 1 \u003e events/kprobes/hello/enable\ncat trace\n\nKernel panic - not syncing: stack-protector: Kernel stack\nis corrupted in: __do_sys_newfstatat+0xb8/0xb8\nCPU: 0 PID: 111 Comm: sh Not tainted\n6.2.0-rc1-00027-g2d398fe49a4d #490\nHardware name: riscv-virtio,qemu (DT)\nCall Trace:\n[\u003cffffffff80007268\u003e] dump_backtrace+0x38/0x48\n[\u003cffffffff80c5e83c\u003e] show_stack+0x50/0x68\n[\u003cffffffff80c6da28\u003e] dump_stack_lvl+0x60/0x84\n[\u003cffffffff80c6da6c\u003e] dump_stack+0x20/0x30\n[\u003cffffffff80c5ecf4\u003e] panic+0x160/0x374\n[\u003cffffffff80c6db94\u003e] generic_handle_arch_irq+0x0/0xa8\n[\u003cffffffff802deeb0\u003e] sys_newstat+0x0/0x30\n[\u003cffffffff800158c0\u003e] sys_clone+0x20/0x30\n[\u003cffffffff800039e8\u003e] ret_from_syscall+0x0/0x4\n---[ end Kernel panic - not syncing: stack-protector:\nKernel stack is corrupted in: __do_sys_newfstatat+0xb8/0xb8 ]---\n\nThat is because the kprobe\u0027s ebreak instruction broke the kernel\u0027s\noriginal code. The user should guarantee the correction of the probe\nposition, but it couldn\u0027t make the kernel panic.\n\nThis patch adds arch_check_kprobe in arch_prepare_kprobe to prevent an\nillegal position (Such as the middle of an instruction)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:42.575Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/04a73558209554da17f46490ec4faaaf1b2bab68"
},
{
"url": "https://git.kernel.org/stable/c/12316538b1d193064109ce1a28fc9bacd43950de"
},
{
"url": "https://git.kernel.org/stable/c/87f48c7ccc73afc78630530d9af51f458f58cab8"
}
],
"title": "riscv: kprobe: Fixup kernel panic when probing an illegal position",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52978",
"datePublished": "2025-03-27T16:43:18.185Z",
"dateReserved": "2025-03-27T16:40:15.738Z",
"dateUpdated": "2025-05-04T07:46:42.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21887 (GCVE-0-2025-21887)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 13:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
The issue was caused by dput(upper) being called before
ovl_dentry_update_reval(), while upper->d_flags was still
accessed in ovl_dentry_remote().
Move dput(upper) after its last use to prevent use-after-free.
BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
ovl_link_up fs/overlayfs/copy_up.c:610 [inline]
ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170
ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223
ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136
vfs_rename+0xf84/0x20a0 fs/namei.c:4893
...
</TASK>
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 62f29ca45f832e281fc14966ac25f6ff3bd121ca Version: e4f2a1feebb3f209a0fca82aa53507a5b8be4d53 Version: b07d5cc93e1b28df47a72c519d09d0a836043613 Version: b07d5cc93e1b28df47a72c519d09d0a836043613 Version: b07d5cc93e1b28df47a72c519d09d0a836043613 Version: b07d5cc93e1b28df47a72c519d09d0a836043613 Version: 714ba10a6dd19752a349e59aa875f3288ccb59b9 Version: 33ab4dd6202f359558a0a2678b94d1b9994c17e5 Version: 1ecdc55e5cd9f70f8d7513802971d4cffb9f77af |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21887",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:59:58.510815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:22.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/copy_up.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4b49d939b5a79117f939b77cc67efae2694d9799",
"status": "affected",
"version": "62f29ca45f832e281fc14966ac25f6ff3bd121ca",
"versionType": "git"
},
{
"lessThan": "a7c41830ffcd17b2177a95a9b99b270302090c35",
"status": "affected",
"version": "e4f2a1feebb3f209a0fca82aa53507a5b8be4d53",
"versionType": "git"
},
{
"lessThan": "64455c8051c3aedc71abb7ec8d47c80301f99f00",
"status": "affected",
"version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
"versionType": "git"
},
{
"lessThan": "3594aad97e7be2557ca9fa9c931b206b604028c8",
"status": "affected",
"version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
"versionType": "git"
},
{
"lessThan": "60b4b5c1277fc491da9e1e7abab307bfa39c2db7",
"status": "affected",
"version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
"versionType": "git"
},
{
"lessThan": "c84e125fff2615b4d9c259e762596134eddd2f27",
"status": "affected",
"version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
"versionType": "git"
},
{
"status": "affected",
"version": "714ba10a6dd19752a349e59aa875f3288ccb59b9",
"versionType": "git"
},
{
"status": "affected",
"version": "33ab4dd6202f359558a0a2678b94d1b9994c17e5",
"versionType": "git"
},
{
"status": "affected",
"version": "1ecdc55e5cd9f70f8d7513802971d4cffb9f77af",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/copy_up.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.5"
},
{
"lessThan": "6.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "5.15.121",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "6.1.39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.3.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up\n\nThe issue was caused by dput(upper) being called before\novl_dentry_update_reval(), while upper-\u003ed_flags was still\naccessed in ovl_dentry_remote().\n\nMove dput(upper) after its last use to prevent use-after-free.\n\nBUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\nBUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\n ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n ovl_link_up fs/overlayfs/copy_up.c:610 [inline]\n ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170\n ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223\n ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136\n vfs_rename+0xf84/0x20a0 fs/namei.c:4893\n...\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:06:40.293Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4b49d939b5a79117f939b77cc67efae2694d9799"
},
{
"url": "https://git.kernel.org/stable/c/a7c41830ffcd17b2177a95a9b99b270302090c35"
},
{
"url": "https://git.kernel.org/stable/c/64455c8051c3aedc71abb7ec8d47c80301f99f00"
},
{
"url": "https://git.kernel.org/stable/c/3594aad97e7be2557ca9fa9c931b206b604028c8"
},
{
"url": "https://git.kernel.org/stable/c/60b4b5c1277fc491da9e1e7abab307bfa39c2db7"
},
{
"url": "https://git.kernel.org/stable/c/c84e125fff2615b4d9c259e762596134eddd2f27"
}
],
"title": "ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21887",
"datePublished": "2025-03-27T14:57:14.524Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T13:06:40.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53010 (GCVE-0-2023-53010)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bnxt: Do not read past the end of test names
Test names were being concatenated based on a offset beyond the end of
the first name, which tripped the buffer overflow detection logic:
detected buffer overflow in strnlen
[...]
Call Trace:
bnxt_ethtool_init.cold+0x18/0x18
Refactor struct hwrm_selftest_qlist_output to use an actual array,
and adjust the concatenation to use snprintf() rather than a series of
strncat() calls.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt_hsi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cefa85480ac99c0bef5a09daadb48d65fc28e279",
"status": "affected",
"version": "eb51365846bc418687af4c4f41b68b6e84cdd449",
"versionType": "git"
},
{
"lessThan": "d3e599c090fc6977331150c5f0a69ab8ce87da21",
"status": "affected",
"version": "eb51365846bc418687af4c4f41b68b6e84cdd449",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c",
"drivers/net/ethernet/broadcom/bnxt/bnxt_hsi.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt: Do not read past the end of test names\n\nTest names were being concatenated based on a offset beyond the end of\nthe first name, which tripped the buffer overflow detection logic:\n\n detected buffer overflow in strnlen\n [...]\n Call Trace:\n bnxt_ethtool_init.cold+0x18/0x18\n\nRefactor struct hwrm_selftest_qlist_output to use an actual array,\nand adjust the concatenation to use snprintf() rather than a series of\nstrncat() calls."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:32.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cefa85480ac99c0bef5a09daadb48d65fc28e279"
},
{
"url": "https://git.kernel.org/stable/c/d3e599c090fc6977331150c5f0a69ab8ce87da21"
}
],
"title": "bnxt: Do not read past the end of test names",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53010",
"datePublished": "2025-03-27T16:43:40.228Z",
"dateReserved": "2025-03-27T16:40:15.748Z",
"dateUpdated": "2025-05-04T07:47:32.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49741 (GCVE-0-2022-49741)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: smscufx: fix error handling code in ufx_usb_probe
The current error handling code in ufx_usb_probe have many unmatching
issues, e.g., missing ufx_free_usb_list, destroy_modedb label should
only include framebuffer_release, fb_dealloc_cmap only matches
fb_alloc_cmap.
My local syzkaller reports a memory leak bug:
memory leak in ufx_usb_probe
BUG: memory leak
unreferenced object 0xffff88802f879580 (size 128):
comm "kworker/0:7", pid 17416, jiffies 4295067474 (age 46.710s)
hex dump (first 32 bytes):
80 21 7c 2e 80 88 ff ff 18 d0 d0 0c 80 88 ff ff .!|.............
00 d0 d0 0c 80 88 ff ff e0 ff ff ff 0f 00 00 00 ................
backtrace:
[<ffffffff814c99a0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1045
[<ffffffff824d219c>] kmalloc include/linux/slab.h:553 [inline]
[<ffffffff824d219c>] kzalloc include/linux/slab.h:689 [inline]
[<ffffffff824d219c>] ufx_alloc_urb_list drivers/video/fbdev/smscufx.c:1873 [inline]
[<ffffffff824d219c>] ufx_usb_probe+0x11c/0x15a0 drivers/video/fbdev/smscufx.c:1655
[<ffffffff82d17927>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
[<ffffffff82712f0d>] call_driver_probe drivers/base/dd.c:560 [inline]
[<ffffffff82712f0d>] really_probe+0x12d/0x390 drivers/base/dd.c:639
[<ffffffff8271322f>] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778
[<ffffffff827132da>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:808
[<ffffffff82713c27>] __device_attach_driver+0xf7/0x150 drivers/base/dd.c:936
[<ffffffff82710137>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
[<ffffffff827136b5>] __device_attach+0x105/0x2d0 drivers/base/dd.c:1008
[<ffffffff82711d36>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
[<ffffffff8270e242>] device_add+0x642/0xdc0 drivers/base/core.c:3517
[<ffffffff82d14d5f>] usb_set_configuration+0x8ef/0xb80 drivers/usb/core/message.c:2170
[<ffffffff82d2576c>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
[<ffffffff82d16ffc>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293
[<ffffffff82712f0d>] call_driver_probe drivers/base/dd.c:560 [inline]
[<ffffffff82712f0d>] really_probe+0x12d/0x390 drivers/base/dd.c:639
[<ffffffff8271322f>] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778
Fix this bug by rewriting the error handling code in ufx_usb_probe.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/smscufx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3b3d3127f5b4291ae4caaf50f7b66089ad600480",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "3931014367ef31d26af65386a4ca496f50f0cfdf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "64fa364ad3245508d393e16ed4886f92d7eb423c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1b4c08844628dfc8d72d3f51b657f2a5e63b7b4b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b76449ee75e21acfe9fa4c653d8598f191ed7d68",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/smscufx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: fix error handling code in ufx_usb_probe\n\nThe current error handling code in ufx_usb_probe have many unmatching\nissues, e.g., missing ufx_free_usb_list, destroy_modedb label should\nonly include framebuffer_release, fb_dealloc_cmap only matches\nfb_alloc_cmap.\n\nMy local syzkaller reports a memory leak bug:\n\nmemory leak in ufx_usb_probe\n\nBUG: memory leak\nunreferenced object 0xffff88802f879580 (size 128):\n comm \"kworker/0:7\", pid 17416, jiffies 4295067474 (age 46.710s)\n hex dump (first 32 bytes):\n 80 21 7c 2e 80 88 ff ff 18 d0 d0 0c 80 88 ff ff .!|.............\n 00 d0 d0 0c 80 88 ff ff e0 ff ff ff 0f 00 00 00 ................\n backtrace:\n [\u003cffffffff814c99a0\u003e] kmalloc_trace+0x20/0x90 mm/slab_common.c:1045\n [\u003cffffffff824d219c\u003e] kmalloc include/linux/slab.h:553 [inline]\n [\u003cffffffff824d219c\u003e] kzalloc include/linux/slab.h:689 [inline]\n [\u003cffffffff824d219c\u003e] ufx_alloc_urb_list drivers/video/fbdev/smscufx.c:1873 [inline]\n [\u003cffffffff824d219c\u003e] ufx_usb_probe+0x11c/0x15a0 drivers/video/fbdev/smscufx.c:1655\n [\u003cffffffff82d17927\u003e] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396\n [\u003cffffffff82712f0d\u003e] call_driver_probe drivers/base/dd.c:560 [inline]\n [\u003cffffffff82712f0d\u003e] really_probe+0x12d/0x390 drivers/base/dd.c:639\n [\u003cffffffff8271322f\u003e] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778\n [\u003cffffffff827132da\u003e] driver_probe_device+0x2a/0x120 drivers/base/dd.c:808\n [\u003cffffffff82713c27\u003e] __device_attach_driver+0xf7/0x150 drivers/base/dd.c:936\n [\u003cffffffff82710137\u003e] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427\n [\u003cffffffff827136b5\u003e] __device_attach+0x105/0x2d0 drivers/base/dd.c:1008\n [\u003cffffffff82711d36\u003e] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487\n [\u003cffffffff8270e242\u003e] device_add+0x642/0xdc0 drivers/base/core.c:3517\n [\u003cffffffff82d14d5f\u003e] usb_set_configuration+0x8ef/0xb80 drivers/usb/core/message.c:2170\n [\u003cffffffff82d2576c\u003e] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238\n [\u003cffffffff82d16ffc\u003e] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293\n [\u003cffffffff82712f0d\u003e] call_driver_probe drivers/base/dd.c:560 [inline]\n [\u003cffffffff82712f0d\u003e] really_probe+0x12d/0x390 drivers/base/dd.c:639\n [\u003cffffffff8271322f\u003e] __driver_probe_device+0xbf/0x140 drivers/base/dd.c:778\n\nFix this bug by rewriting the error handling code in ufx_usb_probe."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:23.744Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3b3d3127f5b4291ae4caaf50f7b66089ad600480"
},
{
"url": "https://git.kernel.org/stable/c/3931014367ef31d26af65386a4ca496f50f0cfdf"
},
{
"url": "https://git.kernel.org/stable/c/64fa364ad3245508d393e16ed4886f92d7eb423c"
},
{
"url": "https://git.kernel.org/stable/c/1b4c08844628dfc8d72d3f51b657f2a5e63b7b4b"
},
{
"url": "https://git.kernel.org/stable/c/b76449ee75e21acfe9fa4c653d8598f191ed7d68"
}
],
"title": "fbdev: smscufx: fix error handling code in ufx_usb_probe",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49741",
"datePublished": "2025-03-27T16:42:52.994Z",
"dateReserved": "2025-03-27T16:39:17.986Z",
"dateUpdated": "2025-05-04T08:44:23.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53015 (GCVE-0-2023-53015)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: betop: check shape of output reports
betopff_init() only checks the total sum of the report counts for each
report field to be at least 4, but hid_betopff_play() expects 4 report
fields.
A device advertising an output report with one field and 4 report counts
would pass the check but crash the kernel with a NULL pointer dereference
in hid_betopff_play().
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 Version: 52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-betopff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "dbab4dba400d6ea9a9697fbbd287adbf7db1dac4",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "7317326f685824c7c29bd80841fd18041af6bb73",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "d3065cc56221d1a5eda237e94eaf2a627b88ab79",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "28fc6095da22dc88433d79578ae1c495ebe8ca43",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "1a2a47b85cab50a3c146731bfeaf2d860f5344ee",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "07bc32e53c7bd5c91472cc485231ef6274db9b76",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
},
{
"lessThan": "3782c0d6edf658b71354a64d60aa7a296188fc90",
"status": "affected",
"version": "52cd7785f3cdd2724f4efb5b21dbc75d6f9ccef4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-betopff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.0"
},
{
"lessThan": "4.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: betop: check shape of output reports\n\nbetopff_init() only checks the total sum of the report counts for each\nreport field to be at least 4, but hid_betopff_play() expects 4 report\nfields.\nA device advertising an output report with one field and 4 report counts\nwould pass the check but crash the kernel with a NULL pointer dereference\nin hid_betopff_play()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:38.188Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/dbab4dba400d6ea9a9697fbbd287adbf7db1dac4"
},
{
"url": "https://git.kernel.org/stable/c/7317326f685824c7c29bd80841fd18041af6bb73"
},
{
"url": "https://git.kernel.org/stable/c/d3065cc56221d1a5eda237e94eaf2a627b88ab79"
},
{
"url": "https://git.kernel.org/stable/c/28fc6095da22dc88433d79578ae1c495ebe8ca43"
},
{
"url": "https://git.kernel.org/stable/c/1a2a47b85cab50a3c146731bfeaf2d860f5344ee"
},
{
"url": "https://git.kernel.org/stable/c/07bc32e53c7bd5c91472cc485231ef6274db9b76"
},
{
"url": "https://git.kernel.org/stable/c/3782c0d6edf658b71354a64d60aa7a296188fc90"
}
],
"title": "HID: betop: check shape of output reports",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53015",
"datePublished": "2025-03-27T16:43:43.886Z",
"dateReserved": "2025-03-27T16:40:15.750Z",
"dateUpdated": "2025-05-04T07:47:38.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52931 (GCVE-0-2023-52931)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Avoid potential vm use-after-free
Adding the vm to the vm_xa table makes it visible to userspace, which
could try to race with us to close the vm. So we need to take our extra
reference before putting it in the table.
(cherry picked from commit 99343c46d4e2b34c285d3d5f68ff04274c2f9fb4)
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52931",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:22:44.463272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:31:59.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "764accc2c1b8fd1507be2e7f436c94cdce887a00",
"status": "affected",
"version": "9ec8795e7d91bc650db03dc6f5315667555dae11",
"versionType": "git"
},
{
"lessThan": "41d419382ec7e257e54b7b6ff0d3623aafb1316d",
"status": "affected",
"version": "9ec8795e7d91bc650db03dc6f5315667555dae11",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_context.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Avoid potential vm use-after-free\n\nAdding the vm to the vm_xa table makes it visible to userspace, which\ncould try to race with us to close the vm. So we need to take our extra\nreference before putting it in the table.\n\n(cherry picked from commit 99343c46d4e2b34c285d3d5f68ff04274c2f9fb4)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:15.198Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/764accc2c1b8fd1507be2e7f436c94cdce887a00"
},
{
"url": "https://git.kernel.org/stable/c/41d419382ec7e257e54b7b6ff0d3623aafb1316d"
}
],
"title": "drm/i915: Avoid potential vm use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52931",
"datePublished": "2025-03-27T16:37:12.969Z",
"dateReserved": "2024-08-21T06:07:11.019Z",
"dateUpdated": "2025-05-04T07:46:15.198Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21881 (GCVE-0-2025-21881)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
uprobes: Reject the shared zeropage in uprobe_write_opcode()
We triggered the following crash in syzkaller tests:
BUG: Bad page state in process syz.7.38 pfn:1eff3
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3
flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff)
raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x32/0x50
bad_page+0x69/0xf0
free_unref_page_prepare+0x401/0x500
free_unref_page+0x6d/0x1b0
uprobe_write_opcode+0x460/0x8e0
install_breakpoint.part.0+0x51/0x80
register_for_each_vma+0x1d9/0x2b0
__uprobe_register+0x245/0x300
bpf_uprobe_multi_link_attach+0x29b/0x4f0
link_create+0x1e2/0x280
__sys_bpf+0x75f/0xac0
__x64_sys_bpf+0x1a/0x30
do_syscall_64+0x56/0x100
entry_SYSCALL_64_after_hwframe+0x78/0xe2
BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1
The following syzkaller test case can be used to reproduce:
r2 = creat(&(0x7f0000000000)='./file0\x00', 0x8)
write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10)
r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x42, 0x0)
mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0)
r5 = userfaultfd(0x80801)
ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20})
r6 = userfaultfd(0x80801)
ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140))
ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2})
ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}})
r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40)
The cause is that zero pfn is set to the PTE without increasing the RSS
count in mfill_atomic_pte_zeropage() and the refcount of zero folio does
not increase accordingly. Then, the operation on the same pfn is performed
in uprobe_write_opcode()->__replace_page() to unconditional decrease the
RSS count and old_folio's refcount.
Therefore, two bugs are introduced:
1. The RSS count is incorrect, when process exit, the check_mm() report
error "Bad rss-count".
2. The reserved folio (zero folio) is freed when folio->refcount is zero,
then free_pages_prepare->free_page_is_bad() report error
"Bad page state".
There is more, the following warning could also theoretically be triggered:
__replace_page()
-> ...
-> folio_remove_rmap_pte()
-> VM_WARN_ON_FOLIO(is_zero_folio(folio), folio)
Considering that uprobe hit on the zero folio is a very rare case, just
reject zero old folio immediately after get_user_page_vma_remote().
[ mingo: Cleaned up the changelog ]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 2b144498350860b6ee9dc57ff27a93ad488de5dc Version: 2b144498350860b6ee9dc57ff27a93ad488de5dc Version: 2b144498350860b6ee9dc57ff27a93ad488de5dc Version: 2b144498350860b6ee9dc57ff27a93ad488de5dc Version: 2b144498350860b6ee9dc57ff27a93ad488de5dc |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/uprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e",
"status": "affected",
"version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
"versionType": "git"
},
{
"lessThan": "0b6f19714588cf2366b0364234f97ba963688f63",
"status": "affected",
"version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
"versionType": "git"
},
{
"lessThan": "13cca2b73e2b0ec3ea6d6615d615395621d22752",
"status": "affected",
"version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
"versionType": "git"
},
{
"lessThan": "54011fc94422f094eaf47555284de70a4bc32bb9",
"status": "affected",
"version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
"versionType": "git"
},
{
"lessThan": "bddf10d26e6e5114e7415a0e442ec6f51a559468",
"status": "affected",
"version": "2b144498350860b6ee9dc57ff27a93ad488de5dc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/uprobes.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.5"
},
{
"lessThan": "3.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuprobes: Reject the shared zeropage in uprobe_write_opcode()\n\nWe triggered the following crash in syzkaller tests:\n\n BUG: Bad page state in process syz.7.38 pfn:1eff3\n page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3\n flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff)\n raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000\n raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000\n page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x32/0x50\n bad_page+0x69/0xf0\n free_unref_page_prepare+0x401/0x500\n free_unref_page+0x6d/0x1b0\n uprobe_write_opcode+0x460/0x8e0\n install_breakpoint.part.0+0x51/0x80\n register_for_each_vma+0x1d9/0x2b0\n __uprobe_register+0x245/0x300\n bpf_uprobe_multi_link_attach+0x29b/0x4f0\n link_create+0x1e2/0x280\n __sys_bpf+0x75f/0xac0\n __x64_sys_bpf+0x1a/0x30\n do_syscall_64+0x56/0x100\n entry_SYSCALL_64_after_hwframe+0x78/0xe2\n\n BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1\n\nThe following syzkaller test case can be used to reproduce:\n\n r2 = creat(\u0026(0x7f0000000000)=\u0027./file0\\x00\u0027, 0x8)\n write$nbd(r2, \u0026(0x7f0000000580)=ANY=[], 0x10)\n r4 = openat(0xffffffffffffff9c, \u0026(0x7f0000000040)=\u0027./file0\\x00\u0027, 0x42, 0x0)\n mmap$IORING_OFF_SQ_RING(\u0026(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0)\n r5 = userfaultfd(0x80801)\n ioctl$UFFDIO_API(r5, 0xc018aa3f, \u0026(0x7f0000000040)={0xaa, 0x20})\n r6 = userfaultfd(0x80801)\n ioctl$UFFDIO_API(r6, 0xc018aa3f, \u0026(0x7f0000000140))\n ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, \u0026(0x7f0000000100)={{\u0026(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2})\n ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, \u0026(0x7f0000000000)={{\u0026(0x7f0000ffd000/0x1000)=nil, 0x1000}})\n r7 = bpf$PROG_LOAD(0x5, \u0026(0x7f0000000140)={0x2, 0x3, \u0026(0x7f0000000200)=ANY=[@ANYBLOB=\"1800000000120000000000000000000095\"], \u0026(0x7f0000000000)=\u0027GPL\\x00\u0027, 0x7, 0x0, 0x0, 0x0, 0x0, \u0027\\x00\u0027, 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)\n bpf$BPF_LINK_CREATE_XDP(0x1c, \u0026(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={\u0026(0x7f0000000080)=\u0027./file0\\x00\u0027, \u0026(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40)\n\nThe cause is that zero pfn is set to the PTE without increasing the RSS\ncount in mfill_atomic_pte_zeropage() and the refcount of zero folio does\nnot increase accordingly. Then, the operation on the same pfn is performed\nin uprobe_write_opcode()-\u003e__replace_page() to unconditional decrease the\nRSS count and old_folio\u0027s refcount.\n\nTherefore, two bugs are introduced:\n\n 1. The RSS count is incorrect, when process exit, the check_mm() report\n error \"Bad rss-count\".\n\n 2. The reserved folio (zero folio) is freed when folio-\u003erefcount is zero,\n then free_pages_prepare-\u003efree_page_is_bad() report error\n \"Bad page state\".\n\nThere is more, the following warning could also theoretically be triggered:\n\n __replace_page()\n -\u003e ...\n -\u003e folio_remove_rmap_pte()\n -\u003e VM_WARN_ON_FOLIO(is_zero_folio(folio), folio)\n\nConsidering that uprobe hit on the zero folio is a very rare case, just\nreject zero old folio immediately after get_user_page_vma_remote().\n\n[ mingo: Cleaned up the changelog ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:14.242Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/c4cb2bfa99513311886c1eb5c1c2ac26f3338a6e"
},
{
"url": "https://git.kernel.org/stable/c/0b6f19714588cf2366b0364234f97ba963688f63"
},
{
"url": "https://git.kernel.org/stable/c/13cca2b73e2b0ec3ea6d6615d615395621d22752"
},
{
"url": "https://git.kernel.org/stable/c/54011fc94422f094eaf47555284de70a4bc32bb9"
},
{
"url": "https://git.kernel.org/stable/c/bddf10d26e6e5114e7415a0e442ec6f51a559468"
}
],
"title": "uprobes: Reject the shared zeropage in uprobe_write_opcode()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21881",
"datePublished": "2025-03-27T14:57:10.241Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:14.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53005 (GCVE-0-2023-53005)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
trace_events_hist: add check for return value of 'create_hist_field'
Function 'create_hist_field' is called recursively at
trace_events_hist.c:1954 and can return NULL-value that's why we have
to check it to avoid null pointer dereference.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 Version: 30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d2d1ada58e7cc100b8d7d6b082d19321ba4a700a",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
},
{
"lessThan": "31b2414abeaa6de0490e85164badc6dcb1bb8ec9",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
},
{
"lessThan": "886aa449235f478e262bbd5dcdee6ed6bc202949",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
},
{
"lessThan": "592ba7116fa620425725ff0972691f352ba3caf6",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
},
{
"lessThan": "b4e7e81b4fdfcf457daee6b7a61769f62198d840",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
},
{
"lessThan": "8b152e9150d07a885f95e1fd401fc81af202d9a4",
"status": "affected",
"version": "30350d65ac5676c6d08d4fc935bc9a9cb0fd4ed3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace_events_hist.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntrace_events_hist: add check for return value of \u0027create_hist_field\u0027\n\nFunction \u0027create_hist_field\u0027 is called recursively at\ntrace_events_hist.c:1954 and can return NULL-value that\u0027s why we have\nto check it to avoid null pointer dereference.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:21.411Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d2d1ada58e7cc100b8d7d6b082d19321ba4a700a"
},
{
"url": "https://git.kernel.org/stable/c/31b2414abeaa6de0490e85164badc6dcb1bb8ec9"
},
{
"url": "https://git.kernel.org/stable/c/886aa449235f478e262bbd5dcdee6ed6bc202949"
},
{
"url": "https://git.kernel.org/stable/c/592ba7116fa620425725ff0972691f352ba3caf6"
},
{
"url": "https://git.kernel.org/stable/c/b4e7e81b4fdfcf457daee6b7a61769f62198d840"
},
{
"url": "https://git.kernel.org/stable/c/8b152e9150d07a885f95e1fd401fc81af202d9a4"
}
],
"title": "trace_events_hist: add check for return value of \u0027create_hist_field\u0027",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53005",
"datePublished": "2025-03-27T16:43:36.547Z",
"dateReserved": "2025-03-27T16:40:15.744Z",
"dateUpdated": "2025-05-04T07:47:21.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58090 (GCVE-0-2024-58090)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 10:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/core: Prevent rescheduling when interrupts are disabled
David reported a warning observed while loop testing kexec jump:
Interrupts enabled after irqrouter_resume+0x0/0x50
WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220
kernel_kexec+0xf6/0x180
__do_sys_reboot+0x206/0x250
do_syscall_64+0x95/0x180
The corresponding interrupt flag trace:
hardirqs last enabled at (15573): [<ffffffffa8281b8e>] __up_console_sem+0x7e/0x90
hardirqs last disabled at (15580): [<ffffffffa8281b73>] __up_console_sem+0x63/0x90
That means __up_console_sem() was invoked with interrupts enabled. Further
instrumentation revealed that in the interrupt disabled section of kexec
jump one of the syscore_suspend() callbacks woke up a task, which set the
NEED_RESCHED flag. A later callback in the resume path invoked
cond_resched() which in turn led to the invocation of the scheduler:
__cond_resched+0x21/0x60
down_timeout+0x18/0x60
acpi_os_wait_semaphore+0x4c/0x80
acpi_ut_acquire_mutex+0x3d/0x100
acpi_ns_get_node+0x27/0x60
acpi_ns_evaluate+0x1cb/0x2d0
acpi_rs_set_srs_method_data+0x156/0x190
acpi_pci_link_set+0x11c/0x290
irqrouter_resume+0x54/0x60
syscore_resume+0x6a/0x200
kernel_kexec+0x145/0x1c0
__do_sys_reboot+0xeb/0x240
do_syscall_64+0x95/0x180
This is a long standing problem, which probably got more visible with
the recent printk changes. Something does a task wakeup and the
scheduler sets the NEED_RESCHED flag. cond_resched() sees it set and
invokes schedule() from a completely bogus context. The scheduler
enables interrupts after context switching, which causes the above
warning at the end.
Quite some of the code paths in syscore_suspend()/resume() can result in
triggering a wakeup with the exactly same consequences. They might not
have done so yet, but as they share a lot of code with normal operations
it's just a question of time.
The problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling
models. Full preemption is not affected as cond_resched() is disabled and
the preemption check preemptible() takes the interrupt disabled flag into
account.
Cure the problem by adding a corresponding check into cond_resched().
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/sched/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "321794b75ac968f0bb6b9c913581949452a8d992",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1651f5731b378616565534eb9cda30e258cebebc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "288fdb8dcb71ec77b76ab8b8a06bc10f595ea504",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "84586322e010164eedddfcd0a0894206ae7d9317",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "68786ab0935ccd5721283b7eb7f4d2f2942c7a52",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0362847c520747b44b574d363705d8af0621727a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b927c8539f692fb1f9c2f42e6c8ea2d94956f921",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "82c387ef7568c0d96a918a5a78d9cad6256cfa15",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/sched/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Prevent rescheduling when interrupts are disabled\n\nDavid reported a warning observed while loop testing kexec jump:\n\n Interrupts enabled after irqrouter_resume+0x0/0x50\n WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220\n kernel_kexec+0xf6/0x180\n __do_sys_reboot+0x206/0x250\n do_syscall_64+0x95/0x180\n\nThe corresponding interrupt flag trace:\n\n hardirqs last enabled at (15573): [\u003cffffffffa8281b8e\u003e] __up_console_sem+0x7e/0x90\n hardirqs last disabled at (15580): [\u003cffffffffa8281b73\u003e] __up_console_sem+0x63/0x90\n\nThat means __up_console_sem() was invoked with interrupts enabled. Further\ninstrumentation revealed that in the interrupt disabled section of kexec\njump one of the syscore_suspend() callbacks woke up a task, which set the\nNEED_RESCHED flag. A later callback in the resume path invoked\ncond_resched() which in turn led to the invocation of the scheduler:\n\n __cond_resched+0x21/0x60\n down_timeout+0x18/0x60\n acpi_os_wait_semaphore+0x4c/0x80\n acpi_ut_acquire_mutex+0x3d/0x100\n acpi_ns_get_node+0x27/0x60\n acpi_ns_evaluate+0x1cb/0x2d0\n acpi_rs_set_srs_method_data+0x156/0x190\n acpi_pci_link_set+0x11c/0x290\n irqrouter_resume+0x54/0x60\n syscore_resume+0x6a/0x200\n kernel_kexec+0x145/0x1c0\n __do_sys_reboot+0xeb/0x240\n do_syscall_64+0x95/0x180\n\nThis is a long standing problem, which probably got more visible with\nthe recent printk changes. Something does a task wakeup and the\nscheduler sets the NEED_RESCHED flag. cond_resched() sees it set and\ninvokes schedule() from a completely bogus context. The scheduler\nenables interrupts after context switching, which causes the above\nwarning at the end.\n\nQuite some of the code paths in syscore_suspend()/resume() can result in\ntriggering a wakeup with the exactly same consequences. They might not\nhave done so yet, but as they share a lot of code with normal operations\nit\u0027s just a question of time.\n\nThe problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling\nmodels. Full preemption is not affected as cond_resched() is disabled and\nthe preemption check preemptible() takes the interrupt disabled flag into\naccount.\n\nCure the problem by adding a corresponding check into cond_resched()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T10:09:51.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/321794b75ac968f0bb6b9c913581949452a8d992"
},
{
"url": "https://git.kernel.org/stable/c/1651f5731b378616565534eb9cda30e258cebebc"
},
{
"url": "https://git.kernel.org/stable/c/288fdb8dcb71ec77b76ab8b8a06bc10f595ea504"
},
{
"url": "https://git.kernel.org/stable/c/84586322e010164eedddfcd0a0894206ae7d9317"
},
{
"url": "https://git.kernel.org/stable/c/68786ab0935ccd5721283b7eb7f4d2f2942c7a52"
},
{
"url": "https://git.kernel.org/stable/c/0362847c520747b44b574d363705d8af0621727a"
},
{
"url": "https://git.kernel.org/stable/c/b927c8539f692fb1f9c2f42e6c8ea2d94956f921"
},
{
"url": "https://git.kernel.org/stable/c/82c387ef7568c0d96a918a5a78d9cad6256cfa15"
}
],
"title": "sched/core: Prevent rescheduling when interrupts are disabled",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58090",
"datePublished": "2025-03-27T14:57:02.886Z",
"dateReserved": "2025-03-06T15:52:09.188Z",
"dateUpdated": "2025-05-04T10:09:51.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53022 (GCVE-0-2023-53022)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: enetc: avoid deadlock in enetc_tx_onestep_tstamp()
This lockdep splat says it better than I could:
================================
WARNING: inconsistent lock state
6.2.0-rc2-07010-ga9b9500ffaac-dirty #967 Not tainted
--------------------------------
inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
kworker/1:3/179 [HC0[0]:SC0[0]:HE1:SE1] takes:
ffff3ec4036ce098 (_xmit_ETHER#2){+.?.}-{3:3}, at: netif_freeze_queues+0x5c/0xc0
{IN-SOFTIRQ-W} state was registered at:
_raw_spin_lock+0x5c/0xc0
sch_direct_xmit+0x148/0x37c
__dev_queue_xmit+0x528/0x111c
ip6_finish_output2+0x5ec/0xb7c
ip6_finish_output+0x240/0x3f0
ip6_output+0x78/0x360
ndisc_send_skb+0x33c/0x85c
ndisc_send_rs+0x54/0x12c
addrconf_rs_timer+0x154/0x260
call_timer_fn+0xb8/0x3a0
__run_timers.part.0+0x214/0x26c
run_timer_softirq+0x3c/0x74
__do_softirq+0x14c/0x5d8
____do_softirq+0x10/0x20
call_on_irq_stack+0x2c/0x5c
do_softirq_own_stack+0x1c/0x30
__irq_exit_rcu+0x168/0x1a0
irq_exit_rcu+0x10/0x40
el1_interrupt+0x38/0x64
irq event stamp: 7825
hardirqs last enabled at (7825): [<ffffdf1f7200cae4>] exit_to_kernel_mode+0x34/0x130
hardirqs last disabled at (7823): [<ffffdf1f708105f0>] __do_softirq+0x550/0x5d8
softirqs last enabled at (7824): [<ffffdf1f7081050c>] __do_softirq+0x46c/0x5d8
softirqs last disabled at (7811): [<ffffdf1f708166e0>] ____do_softirq+0x10/0x20
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(_xmit_ETHER#2);
<Interrupt>
lock(_xmit_ETHER#2);
*** DEADLOCK ***
3 locks held by kworker/1:3/179:
#0: ffff3ec400004748 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1f4/0x6c0
#1: ffff80000a0bbdc8 ((work_completion)(&priv->tx_onestep_tstamp)){+.+.}-{0:0}, at: process_one_work+0x1f4/0x6c0
#2: ffff3ec4036cd438 (&dev->tx_global_lock){+.+.}-{3:3}, at: netif_tx_lock+0x1c/0x34
Workqueue: events enetc_tx_onestep_tstamp
Call trace:
print_usage_bug.part.0+0x208/0x22c
mark_lock+0x7f0/0x8b0
__lock_acquire+0x7c4/0x1ce0
lock_acquire.part.0+0xe0/0x220
lock_acquire+0x68/0x84
_raw_spin_lock+0x5c/0xc0
netif_freeze_queues+0x5c/0xc0
netif_tx_lock+0x24/0x34
enetc_tx_onestep_tstamp+0x20/0x100
process_one_work+0x28c/0x6c0
worker_thread+0x74/0x450
kthread+0x118/0x11c
but I'll say it anyway: the enetc_tx_onestep_tstamp() work item runs in
process context, therefore with softirqs enabled (i.o.w., it can be
interrupted by a softirq). If we hold the netif_tx_lock() when there is
an interrupt, and the NET_TX softirq then gets scheduled, this will take
the netif_tx_lock() a second time and deadlock the kernel.
To solve this, use netif_tx_lock_bh(), which blocks softirqs from
running.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/enetc/enetc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8232e5a84d25a84a5cbda0f241a00793fb6eb608",
"status": "affected",
"version": "7294380c5211687aa4d66166984b152ee84caf5f",
"versionType": "git"
},
{
"lessThan": "e893dced1a18e77b1262f5c10169413f0ece0da7",
"status": "affected",
"version": "7294380c5211687aa4d66166984b152ee84caf5f",
"versionType": "git"
},
{
"lessThan": "3c463721a73bdb57a913e0d3124677a3758886fc",
"status": "affected",
"version": "7294380c5211687aa4d66166984b152ee84caf5f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/enetc/enetc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: avoid deadlock in enetc_tx_onestep_tstamp()\n\nThis lockdep splat says it better than I could:\n\n================================\nWARNING: inconsistent lock state\n6.2.0-rc2-07010-ga9b9500ffaac-dirty #967 Not tainted\n--------------------------------\ninconsistent {IN-SOFTIRQ-W} -\u003e {SOFTIRQ-ON-W} usage.\nkworker/1:3/179 [HC0[0]:SC0[0]:HE1:SE1] takes:\nffff3ec4036ce098 (_xmit_ETHER#2){+.?.}-{3:3}, at: netif_freeze_queues+0x5c/0xc0\n{IN-SOFTIRQ-W} state was registered at:\n _raw_spin_lock+0x5c/0xc0\n sch_direct_xmit+0x148/0x37c\n __dev_queue_xmit+0x528/0x111c\n ip6_finish_output2+0x5ec/0xb7c\n ip6_finish_output+0x240/0x3f0\n ip6_output+0x78/0x360\n ndisc_send_skb+0x33c/0x85c\n ndisc_send_rs+0x54/0x12c\n addrconf_rs_timer+0x154/0x260\n call_timer_fn+0xb8/0x3a0\n __run_timers.part.0+0x214/0x26c\n run_timer_softirq+0x3c/0x74\n __do_softirq+0x14c/0x5d8\n ____do_softirq+0x10/0x20\n call_on_irq_stack+0x2c/0x5c\n do_softirq_own_stack+0x1c/0x30\n __irq_exit_rcu+0x168/0x1a0\n irq_exit_rcu+0x10/0x40\n el1_interrupt+0x38/0x64\nirq event stamp: 7825\nhardirqs last enabled at (7825): [\u003cffffdf1f7200cae4\u003e] exit_to_kernel_mode+0x34/0x130\nhardirqs last disabled at (7823): [\u003cffffdf1f708105f0\u003e] __do_softirq+0x550/0x5d8\nsoftirqs last enabled at (7824): [\u003cffffdf1f7081050c\u003e] __do_softirq+0x46c/0x5d8\nsoftirqs last disabled at (7811): [\u003cffffdf1f708166e0\u003e] ____do_softirq+0x10/0x20\n\nother info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(_xmit_ETHER#2);\n \u003cInterrupt\u003e\n lock(_xmit_ETHER#2);\n\n *** DEADLOCK ***\n\n3 locks held by kworker/1:3/179:\n #0: ffff3ec400004748 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1f4/0x6c0\n #1: ffff80000a0bbdc8 ((work_completion)(\u0026priv-\u003etx_onestep_tstamp)){+.+.}-{0:0}, at: process_one_work+0x1f4/0x6c0\n #2: ffff3ec4036cd438 (\u0026dev-\u003etx_global_lock){+.+.}-{3:3}, at: netif_tx_lock+0x1c/0x34\n\nWorkqueue: events enetc_tx_onestep_tstamp\nCall trace:\n print_usage_bug.part.0+0x208/0x22c\n mark_lock+0x7f0/0x8b0\n __lock_acquire+0x7c4/0x1ce0\n lock_acquire.part.0+0xe0/0x220\n lock_acquire+0x68/0x84\n _raw_spin_lock+0x5c/0xc0\n netif_freeze_queues+0x5c/0xc0\n netif_tx_lock+0x24/0x34\n enetc_tx_onestep_tstamp+0x20/0x100\n process_one_work+0x28c/0x6c0\n worker_thread+0x74/0x450\n kthread+0x118/0x11c\n\nbut I\u0027ll say it anyway: the enetc_tx_onestep_tstamp() work item runs in\nprocess context, therefore with softirqs enabled (i.o.w., it can be\ninterrupted by a softirq). If we hold the netif_tx_lock() when there is\nan interrupt, and the NET_TX softirq then gets scheduled, this will take\nthe netif_tx_lock() a second time and deadlock the kernel.\n\nTo solve this, use netif_tx_lock_bh(), which blocks softirqs from\nrunning."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:52.526Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8232e5a84d25a84a5cbda0f241a00793fb6eb608"
},
{
"url": "https://git.kernel.org/stable/c/e893dced1a18e77b1262f5c10169413f0ece0da7"
},
{
"url": "https://git.kernel.org/stable/c/3c463721a73bdb57a913e0d3124677a3758886fc"
}
],
"title": "net: enetc: avoid deadlock in enetc_tx_onestep_tstamp()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53022",
"datePublished": "2025-03-27T16:43:48.513Z",
"dateReserved": "2025-03-27T16:40:15.752Z",
"dateUpdated": "2025-05-04T07:47:52.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52986 (GCVE-0-2023-52986)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener
A listening socket linked to a sockmap has its sk_prot overridden. It
points to one of the struct proto variants in tcp_bpf_prots. The variant
depends on the socket's family and which sockmap programs are attached.
A child socket cloned from a TCP listener initially inherits their sk_prot.
But before cloning is finished, we restore the child's proto to the
listener's original non-tcp_bpf_prots one. This happens in
tcp_create_openreq_child -> tcp_bpf_clone.
Today, in tcp_bpf_clone we detect if the child's proto should be restored
by checking only for the TCP_BPF_BASE proto variant. This is not
correct. The sk_prot of listening socket linked to a sockmap can point to
to any variant in tcp_bpf_prots.
If the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then
the child socket unintentionally is left if the inherited sk_prot by
tcp_bpf_clone.
This leads to issues like infinite recursion on close [1], because the
child state is otherwise not set up for use with tcp_bpf_prot operations.
Adjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants.
Note that it wouldn't be sufficient to check the socket state when
overriding the sk_prot in tcp_bpf_update_proto in order to always use the
TCP_BPF_BASE variant for listening sockets. Since commit
b8b8315e39ff ("bpf, sockmap: Remove unhash handler for BPF sockmap usage")
it is possible for a socket to transition to TCP_LISTEN state while already
linked to a sockmap, e.g. connect() -> insert into map ->
connect(AF_UNSPEC) -> listen().
[1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/util_macros.h",
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9bd6074e1872d22190a8da30e796cbf937d334f0",
"status": "affected",
"version": "e80251555f0befd1271e74b080bccf0ff0348bfc",
"versionType": "git"
},
{
"lessThan": "c681d7a4ed3d360de0574f4d6b7305a8de8dc54f",
"status": "affected",
"version": "e80251555f0befd1271e74b080bccf0ff0348bfc",
"versionType": "git"
},
{
"lessThan": "12b0ec7c6953e1602957926439e5297095d7d065",
"status": "affected",
"version": "e80251555f0befd1271e74b080bccf0ff0348bfc",
"versionType": "git"
},
{
"lessThan": "ddce1e091757d0259107c6c0c7262df201de2b66",
"status": "affected",
"version": "e80251555f0befd1271e74b080bccf0ff0348bfc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/util_macros.h",
"net/ipv4/tcp_bpf.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener\n\nA listening socket linked to a sockmap has its sk_prot overridden. It\npoints to one of the struct proto variants in tcp_bpf_prots. The variant\ndepends on the socket\u0027s family and which sockmap programs are attached.\n\nA child socket cloned from a TCP listener initially inherits their sk_prot.\nBut before cloning is finished, we restore the child\u0027s proto to the\nlistener\u0027s original non-tcp_bpf_prots one. This happens in\ntcp_create_openreq_child -\u003e tcp_bpf_clone.\n\nToday, in tcp_bpf_clone we detect if the child\u0027s proto should be restored\nby checking only for the TCP_BPF_BASE proto variant. This is not\ncorrect. The sk_prot of listening socket linked to a sockmap can point to\nto any variant in tcp_bpf_prots.\n\nIf the listeners sk_prot happens to be not the TCP_BPF_BASE variant, then\nthe child socket unintentionally is left if the inherited sk_prot by\ntcp_bpf_clone.\n\nThis leads to issues like infinite recursion on close [1], because the\nchild state is otherwise not set up for use with tcp_bpf_prot operations.\n\nAdjust the check in tcp_bpf_clone to detect all of tcp_bpf_prots variants.\n\nNote that it wouldn\u0027t be sufficient to check the socket state when\noverriding the sk_prot in tcp_bpf_update_proto in order to always use the\nTCP_BPF_BASE variant for listening sockets. Since commit\nb8b8315e39ff (\"bpf, sockmap: Remove unhash handler for BPF sockmap usage\")\nit is possible for a socket to transition to TCP_LISTEN state while already\nlinked to a sockmap, e.g. connect() -\u003e insert into map -\u003e\nconnect(AF_UNSPEC) -\u003e listen().\n\n[1]: https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:57.942Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9bd6074e1872d22190a8da30e796cbf937d334f0"
},
{
"url": "https://git.kernel.org/stable/c/c681d7a4ed3d360de0574f4d6b7305a8de8dc54f"
},
{
"url": "https://git.kernel.org/stable/c/12b0ec7c6953e1602957926439e5297095d7d065"
},
{
"url": "https://git.kernel.org/stable/c/ddce1e091757d0259107c6c0c7262df201de2b66"
}
],
"title": "bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52986",
"datePublished": "2025-03-27T16:43:23.617Z",
"dateReserved": "2025-03-27T16:40:15.741Z",
"dateUpdated": "2025-05-04T07:46:57.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52998 (GCVE-0-2023-52998)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fec: Use page_pool_put_full_page when freeing rx buffers
The page_pool_release_page was used when freeing rx buffers, and this
function just unmaps the page (if mapped) and does not recycle the page.
So after hundreds of down/up the eth0, the system will out of memory.
For more details, please refer to the following reproduce steps and
bug logs. To solve this issue and refer to the doc of page pool, the
page_pool_put_full_page should be used to replace page_pool_release_page.
Because this API will try to recycle the page if the page refcnt equal to
1. After testing 20000 times, the issue can not be reproduced anymore
(about testing 391 times the issue will occur on i.MX8MN-EVK before).
Reproduce steps:
Create the test script and run the script. The script content is as
follows:
LOOPS=20000
i=1
while [ $i -le $LOOPS ]
do
echo "TINFO:ENET $curface up and down test $i times"
org_macaddr=$(cat /sys/class/net/eth0/address)
ifconfig eth0 down
ifconfig eth0 hw ether $org_macaddr up
i=$(expr $i + 1)
done
sleep 5
if cat /sys/class/net/eth0/operstate | grep 'up';then
echo "TEST PASS"
else
echo "TEST FAIL"
fi
Bug detail logs:
TINFO:ENET up and down test 391 times
[ 850.471205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)
[ 853.535318] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 853.541694] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[ 870.590531] page_pool_release_retry() stalled pool shutdown 199 inflight 60 sec
[ 931.006557] page_pool_release_retry() stalled pool shutdown 199 inflight 120 sec
TINFO:ENET up and down test 392 times
[ 991.426544] page_pool_release_retry() stalled pool shutdown 192 inflight 181 sec
[ 1051.838531] page_pool_release_retry() stalled pool shutdown 170 inflight 241 sec
[ 1093.751217] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)
[ 1096.446520] page_pool_release_retry() stalled pool shutdown 308 inflight 60 sec
[ 1096.831245] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[ 1096.839092] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 1112.254526] page_pool_release_retry() stalled pool shutdown 103 inflight 302 sec
[ 1156.862533] page_pool_release_retry() stalled pool shutdown 308 inflight 120 sec
[ 1172.674516] page_pool_release_retry() stalled pool shutdown 103 inflight 362 sec
[ 1217.278532] page_pool_release_retry() stalled pool shutdown 308 inflight 181 sec
TINFO:ENET up and down test 393 times
[ 1233.086535] page_pool_release_retry() stalled pool shutdown 103 inflight 422 sec
[ 1277.698513] page_pool_release_retry() stalled pool shutdown 308 inflight 241 sec
[ 1293.502525] page_pool_release_retry() stalled pool shutdown 86 inflight 483 sec
[ 1338.110518] page_pool_release_retry() stalled pool shutdown 308 inflight 302 sec
[ 1353.918540] page_pool_release_retry() stalled pool shutdown 32 inflight 543 sec
[ 1361.179205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)
[ 1364.255298] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[ 1364.263189] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 1371.998532] page_pool_release_retry() stalled pool shutdown 310 inflight 60 sec
[ 1398.530542] page_pool_release_retry() stalled pool shutdown 308 inflight 362 sec
[ 1414.334539] page_pool_release_retry() stalled pool shutdown 16 inflight 604 sec
[ 1432.414520] page_pool_release_retry() stalled pool shutdown 310 inflight 120 sec
[ 1458.942523] page_pool_release_retry() stalled pool shutdown 308 inflight 422 sec
[ 1474.750521] page_pool_release_retry() stalled pool shutdown 16 inflight 664 sec
TINFO:ENET up and down test 394 times
[ 1492.8305
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "554484a34e985a307756ee4794e60be31e3db2e5",
"status": "affected",
"version": "95698ff6177b5f1f13f251da60e7348413046ae4",
"versionType": "git"
},
{
"lessThan": "e38553bdc377e3e7a6caa9dd9770d8b644d8dac3",
"status": "affected",
"version": "95698ff6177b5f1f13f251da60e7348413046ae4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/freescale/fec_main.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fec: Use page_pool_put_full_page when freeing rx buffers\n\nThe page_pool_release_page was used when freeing rx buffers, and this\nfunction just unmaps the page (if mapped) and does not recycle the page.\nSo after hundreds of down/up the eth0, the system will out of memory.\nFor more details, please refer to the following reproduce steps and\nbug logs. To solve this issue and refer to the doc of page pool, the\npage_pool_put_full_page should be used to replace page_pool_release_page.\nBecause this API will try to recycle the page if the page refcnt equal to\n1. After testing 20000 times, the issue can not be reproduced anymore\n(about testing 391 times the issue will occur on i.MX8MN-EVK before).\n\nReproduce steps:\nCreate the test script and run the script. The script content is as\nfollows:\nLOOPS=20000\ni=1\nwhile [ $i -le $LOOPS ]\ndo\n echo \"TINFO:ENET $curface up and down test $i times\"\n org_macaddr=$(cat /sys/class/net/eth0/address)\n ifconfig eth0 down\n ifconfig eth0 hw ether $org_macaddr up\n i=$(expr $i + 1)\ndone\nsleep 5\nif cat /sys/class/net/eth0/operstate | grep \u0027up\u0027;then\n echo \"TEST PASS\"\nelse\n echo \"TEST FAIL\"\nfi\n\nBug detail logs:\nTINFO:ENET up and down test 391 times\n[ 850.471205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)\n[ 853.535318] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready\n[ 853.541694] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx\n[ 870.590531] page_pool_release_retry() stalled pool shutdown 199 inflight 60 sec\n[ 931.006557] page_pool_release_retry() stalled pool shutdown 199 inflight 120 sec\nTINFO:ENET up and down test 392 times\n[ 991.426544] page_pool_release_retry() stalled pool shutdown 192 inflight 181 sec\n[ 1051.838531] page_pool_release_retry() stalled pool shutdown 170 inflight 241 sec\n[ 1093.751217] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)\n[ 1096.446520] page_pool_release_retry() stalled pool shutdown 308 inflight 60 sec\n[ 1096.831245] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx\n[ 1096.839092] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready\n[ 1112.254526] page_pool_release_retry() stalled pool shutdown 103 inflight 302 sec\n[ 1156.862533] page_pool_release_retry() stalled pool shutdown 308 inflight 120 sec\n[ 1172.674516] page_pool_release_retry() stalled pool shutdown 103 inflight 362 sec\n[ 1217.278532] page_pool_release_retry() stalled pool shutdown 308 inflight 181 sec\nTINFO:ENET up and down test 393 times\n[ 1233.086535] page_pool_release_retry() stalled pool shutdown 103 inflight 422 sec\n[ 1277.698513] page_pool_release_retry() stalled pool shutdown 308 inflight 241 sec\n[ 1293.502525] page_pool_release_retry() stalled pool shutdown 86 inflight 483 sec\n[ 1338.110518] page_pool_release_retry() stalled pool shutdown 308 inflight 302 sec\n[ 1353.918540] page_pool_release_retry() stalled pool shutdown 32 inflight 543 sec\n[ 1361.179205] Qualcomm Atheros AR8031/AR8033 30be0000.ethernet-1:00: attached PHY driver (mii_bus:phy_addr=30be0000.ethernet-1:00, irq=POLL)\n[ 1364.255298] fec 30be0000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx\n[ 1364.263189] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready\n[ 1371.998532] page_pool_release_retry() stalled pool shutdown 310 inflight 60 sec\n[ 1398.530542] page_pool_release_retry() stalled pool shutdown 308 inflight 362 sec\n[ 1414.334539] page_pool_release_retry() stalled pool shutdown 16 inflight 604 sec\n[ 1432.414520] page_pool_release_retry() stalled pool shutdown 310 inflight 120 sec\n[ 1458.942523] page_pool_release_retry() stalled pool shutdown 308 inflight 422 sec\n[ 1474.750521] page_pool_release_retry() stalled pool shutdown 16 inflight 664 sec\nTINFO:ENET up and down test 394 times\n[ 1492.8305\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:12.519Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/554484a34e985a307756ee4794e60be31e3db2e5"
},
{
"url": "https://git.kernel.org/stable/c/e38553bdc377e3e7a6caa9dd9770d8b644d8dac3"
}
],
"title": "net: fec: Use page_pool_put_full_page when freeing rx buffers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52998",
"datePublished": "2025-03-27T16:43:31.817Z",
"dateReserved": "2025-03-27T16:40:15.742Z",
"dateUpdated": "2025-05-04T07:47:12.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53016 (GCVE-0-2023-53016)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix possible deadlock in rfcomm_sk_state_change
syzbot reports a possible deadlock in rfcomm_sk_state_change [1].
While rfcomm_sock_connect acquires the sk lock and waits for
the rfcomm lock, rfcomm_sock_release could have the rfcomm
lock and hit a deadlock for acquiring the sk lock.
Here's a simplified flow:
rfcomm_sock_connect:
lock_sock(sk)
rfcomm_dlc_open:
rfcomm_lock()
rfcomm_sock_release:
rfcomm_sock_shutdown:
rfcomm_lock()
__rfcomm_dlc_close:
rfcomm_k_state_change:
lock_sock(sk)
This patch drops the sk lock before calling rfcomm_dlc_open to
avoid the possible deadlock and holds sk's reference count to
prevent use-after-free after rfcomm_dlc_open completes.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/rfcomm/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "98aec50ff7f60cc6f2d6a4396b475c547e58b04d",
"status": "affected",
"version": "1804fdf6e494e5e2938c65d8391690b59bcff897",
"versionType": "git"
},
{
"lessThan": "17511bd84871f4a6106cb335616e086880313f3f",
"status": "affected",
"version": "1804fdf6e494e5e2938c65d8391690b59bcff897",
"versionType": "git"
},
{
"lessThan": "1d80d57ffcb55488f0ec0b77928d4f82d16b6a90",
"status": "affected",
"version": "1804fdf6e494e5e2938c65d8391690b59bcff897",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/rfcomm/sock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix possible deadlock in rfcomm_sk_state_change\n\nsyzbot reports a possible deadlock in rfcomm_sk_state_change [1].\nWhile rfcomm_sock_connect acquires the sk lock and waits for\nthe rfcomm lock, rfcomm_sock_release could have the rfcomm\nlock and hit a deadlock for acquiring the sk lock.\nHere\u0027s a simplified flow:\n\nrfcomm_sock_connect:\n lock_sock(sk)\n rfcomm_dlc_open:\n rfcomm_lock()\n\nrfcomm_sock_release:\n rfcomm_sock_shutdown:\n rfcomm_lock()\n __rfcomm_dlc_close:\n rfcomm_k_state_change:\n\t lock_sock(sk)\n\nThis patch drops the sk lock before calling rfcomm_dlc_open to\navoid the possible deadlock and holds sk\u0027s reference count to\nprevent use-after-free after rfcomm_dlc_open completes."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:44.298Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/98aec50ff7f60cc6f2d6a4396b475c547e58b04d"
},
{
"url": "https://git.kernel.org/stable/c/17511bd84871f4a6106cb335616e086880313f3f"
},
{
"url": "https://git.kernel.org/stable/c/1d80d57ffcb55488f0ec0b77928d4f82d16b6a90"
}
],
"title": "Bluetooth: Fix possible deadlock in rfcomm_sk_state_change",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53016",
"datePublished": "2025-03-27T16:43:44.528Z",
"dateReserved": "2025-03-27T16:40:15.750Z",
"dateUpdated": "2025-05-04T07:47:44.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49744 (GCVE-0-2022-49744)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/uffd: fix pte marker when fork() without fork event
Patch series "mm: Fixes on pte markers".
Patch 1 resolves the syzkiller report from Pengfei.
Patch 2 further harden pte markers when used with the recent swapin error
markers. The major case is we should persist a swapin error marker after
fork(), so child shouldn't read a corrupted page.
This patch (of 2):
When fork(), dst_vma is not guaranteed to have VM_UFFD_WP even if src may
have it and has pte marker installed. The warning is improper along with
the comment. The right thing is to inherit the pte marker when needed, or
keep the dst pte empty.
A vague guess is this happened by an accident when there's the prior patch
to introduce src/dst vma into this helper during the uffd-wp feature got
developed and I probably messed up in the rebase, since if we replace
dst_vma with src_vma the warning & comment it all makes sense too.
Hugetlb did exactly the right here (copy_hugetlb_page_range()). Fix the
general path.
Reproducer:
https://github.com/xupengfe/syzkaller_logs/blob/main/221208_115556_copy_page_range/repro.c
Bugzilla report: https://bugzilla.kernel.org/show_bug.cgi?id=216808
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d11727655bf931776fb541f5862daf04bd5bf02",
"status": "affected",
"version": "c56d1b62cce83695823c13e52f73e92eb568c0c1",
"versionType": "git"
},
{
"lessThan": "49d6d7fb631345b0f2957a7c4be24ad63903150f",
"status": "affected",
"version": "c56d1b62cce83695823c13e52f73e92eb568c0c1",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/memory.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/uffd: fix pte marker when fork() without fork event\n\nPatch series \"mm: Fixes on pte markers\".\n\nPatch 1 resolves the syzkiller report from Pengfei.\n\nPatch 2 further harden pte markers when used with the recent swapin error\nmarkers. The major case is we should persist a swapin error marker after\nfork(), so child shouldn\u0027t read a corrupted page.\n\n\nThis patch (of 2):\n\nWhen fork(), dst_vma is not guaranteed to have VM_UFFD_WP even if src may\nhave it and has pte marker installed. The warning is improper along with\nthe comment. The right thing is to inherit the pte marker when needed, or\nkeep the dst pte empty.\n\nA vague guess is this happened by an accident when there\u0027s the prior patch\nto introduce src/dst vma into this helper during the uffd-wp feature got\ndeveloped and I probably messed up in the rebase, since if we replace\ndst_vma with src_vma the warning \u0026 comment it all makes sense too.\n\nHugetlb did exactly the right here (copy_hugetlb_page_range()). Fix the\ngeneral path.\n\nReproducer:\n\nhttps://github.com/xupengfe/syzkaller_logs/blob/main/221208_115556_copy_page_range/repro.c\n\nBugzilla report: https://bugzilla.kernel.org/show_bug.cgi?id=216808"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:27.429Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d11727655bf931776fb541f5862daf04bd5bf02"
},
{
"url": "https://git.kernel.org/stable/c/49d6d7fb631345b0f2957a7c4be24ad63903150f"
}
],
"title": "mm/uffd: fix pte marker when fork() without fork event",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49744",
"datePublished": "2025-03-27T16:42:54.897Z",
"dateReserved": "2025-03-27T16:39:17.987Z",
"dateUpdated": "2025-05-04T08:44:27.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21869 (GCVE-0-2025-21869)
Vulnerability from cvelistv5
Published
2025-03-27 13:38
Modified
2025-05-04 07:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/code-patching: Disable KASAN report during patching via temporary mm
Erhard reports the following KASAN hit on Talos II (power9) with kernel 6.13:
[ 12.028126] ==================================================================
[ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0
[ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1
[ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3
[ 12.028408] Tainted: [T]=RANDSTRUCT
[ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV
[ 12.028500] Call Trace:
[ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable)
[ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708
[ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300
[ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370
[ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40
[ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0
[ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210
[ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590
[ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0
[ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0
[ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930
[ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280
[ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370
[ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00
[ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40
[ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610
[ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280
[ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8
[ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000
[ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty)
[ 12.029735] MSR: 900000000280f032 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI> CR: 42004848 XER: 00000000
[ 12.029855] IRQMASK: 0
GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005
GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000
GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90
GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80
GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8
GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580
[ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8
[ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8
[ 12.030405] --- interrupt: 3000
[ 12.030444] ==================================================================
Commit c28c15b6d28a ("powerpc/code-patching: Use temporary mm for
Radix MMU") is inspired from x86 but unlike x86 is doesn't disable
KASAN reports during patching. This wasn't a problem at the begining
because __patch_mem() is not instrumented.
Commit 465cabc97b42 ("powerpc/code-patching: introduce
patch_instructions()") use copy_to_kernel_nofault() to copy several
instructions at once. But when using temporary mm the destination is
not regular kernel memory but a kind of kernel-like memory located
in user address space.
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/lib/code-patching.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5980d4456dd66d1b6505d5ec15048bd87e8775e0",
"status": "affected",
"version": "465cabc97b42405eb89380ea6ba8d8b03e4ae1a2",
"versionType": "git"
},
{
"lessThan": "ea291447a4031f3dac5c23d55bc83fe833820d84",
"status": "affected",
"version": "465cabc97b42405eb89380ea6ba8d8b03e4ae1a2",
"versionType": "git"
},
{
"lessThan": "dc9c5166c3cb044f8a001e397195242fd6796eee",
"status": "affected",
"version": "465cabc97b42405eb89380ea6ba8d8b03e4ae1a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/lib/code-patching.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Disable KASAN report during patching via temporary mm\n\nErhard reports the following KASAN hit on Talos II (power9) with kernel 6.13:\n\n[ 12.028126] ==================================================================\n[ 12.028198] BUG: KASAN: user-memory-access in copy_to_kernel_nofault+0x8c/0x1a0\n[ 12.028260] Write of size 8 at addr 0000187e458f2000 by task systemd/1\n\n[ 12.028346] CPU: 87 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.13.0-P9-dirty #3\n[ 12.028408] Tainted: [T]=RANDSTRUCT\n[ 12.028446] Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV\n[ 12.028500] Call Trace:\n[ 12.028536] [c000000008dbf3b0] [c000000001656a48] dump_stack_lvl+0xbc/0x110 (unreliable)\n[ 12.028609] [c000000008dbf3f0] [c0000000006e2fc8] print_report+0x6b0/0x708\n[ 12.028666] [c000000008dbf4e0] [c0000000006e2454] kasan_report+0x164/0x300\n[ 12.028725] [c000000008dbf600] [c0000000006e54d4] kasan_check_range+0x314/0x370\n[ 12.028784] [c000000008dbf640] [c0000000006e6310] __kasan_check_write+0x20/0x40\n[ 12.028842] [c000000008dbf660] [c000000000578e8c] copy_to_kernel_nofault+0x8c/0x1a0\n[ 12.028902] [c000000008dbf6a0] [c0000000000acfe4] __patch_instructions+0x194/0x210\n[ 12.028965] [c000000008dbf6e0] [c0000000000ade80] patch_instructions+0x150/0x590\n[ 12.029026] [c000000008dbf7c0] [c0000000001159bc] bpf_arch_text_copy+0x6c/0xe0\n[ 12.029085] [c000000008dbf800] [c000000000424250] bpf_jit_binary_pack_finalize+0x40/0xc0\n[ 12.029147] [c000000008dbf830] [c000000000115dec] bpf_int_jit_compile+0x3bc/0x930\n[ 12.029206] [c000000008dbf990] [c000000000423720] bpf_prog_select_runtime+0x1f0/0x280\n[ 12.029266] [c000000008dbfa00] [c000000000434b18] bpf_prog_load+0xbb8/0x1370\n[ 12.029324] [c000000008dbfb70] [c000000000436ebc] __sys_bpf+0x5ac/0x2e00\n[ 12.029379] [c000000008dbfd00] [c00000000043a228] sys_bpf+0x28/0x40\n[ 12.029435] [c000000008dbfd20] [c000000000038eb4] system_call_exception+0x334/0x610\n[ 12.029497] [c000000008dbfe50] [c00000000000c270] system_call_vectored_common+0xf0/0x280\n[ 12.029561] --- interrupt: 3000 at 0x3fff82f5cfa8\n[ 12.029608] NIP: 00003fff82f5cfa8 LR: 00003fff82f5cfa8 CTR: 0000000000000000\n[ 12.029660] REGS: c000000008dbfe80 TRAP: 3000 Tainted: G T (6.13.0-P9-dirty)\n[ 12.029735] MSR: 900000000280f032 \u003cSF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI\u003e CR: 42004848 XER: 00000000\n[ 12.029855] IRQMASK: 0\n GPR00: 0000000000000169 00003fffdcf789a0 00003fff83067100 0000000000000005\n GPR04: 00003fffdcf78a98 0000000000000090 0000000000000000 0000000000000008\n GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000\n GPR12: 0000000000000000 00003fff836ff7e0 c000000000010678 0000000000000000\n GPR16: 0000000000000000 0000000000000000 00003fffdcf78f28 00003fffdcf78f90\n GPR20: 0000000000000000 0000000000000000 0000000000000000 00003fffdcf78f80\n GPR24: 00003fffdcf78f70 00003fffdcf78d10 00003fff835c7239 00003fffdcf78bd8\n GPR28: 00003fffdcf78a98 0000000000000000 0000000000000000 000000011f547580\n[ 12.030316] NIP [00003fff82f5cfa8] 0x3fff82f5cfa8\n[ 12.030361] LR [00003fff82f5cfa8] 0x3fff82f5cfa8\n[ 12.030405] --- interrupt: 3000\n[ 12.030444] ==================================================================\n\nCommit c28c15b6d28a (\"powerpc/code-patching: Use temporary mm for\nRadix MMU\") is inspired from x86 but unlike x86 is doesn\u0027t disable\nKASAN reports during patching. This wasn\u0027t a problem at the begining\nbecause __patch_mem() is not instrumented.\n\nCommit 465cabc97b42 (\"powerpc/code-patching: introduce\npatch_instructions()\") use copy_to_kernel_nofault() to copy several\ninstructions at once. But when using temporary mm the destination is\nnot regular kernel memory but a kind of kernel-like memory located\nin user address space. \n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:53.274Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5980d4456dd66d1b6505d5ec15048bd87e8775e0"
},
{
"url": "https://git.kernel.org/stable/c/ea291447a4031f3dac5c23d55bc83fe833820d84"
},
{
"url": "https://git.kernel.org/stable/c/dc9c5166c3cb044f8a001e397195242fd6796eee"
}
],
"title": "powerpc/code-patching: Disable KASAN report during patching via temporary mm",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21869",
"datePublished": "2025-03-27T13:38:22.229Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:22:53.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49745 (GCVE-0-2022-49745)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fpga: m10bmc-sec: Fix probe rollback
Handle probe error rollbacks properly to avoid leaks.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/fpga/intel-m10-bmc-sec-update.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "74cff472d3d66db13b5ef64f40dfa42383f71ff7",
"status": "affected",
"version": "5cd339b370e29b04b85fbb83f40496991465318e",
"versionType": "git"
},
{
"lessThan": "60ce26d10e5850f33cc76fce52f5377045e75a15",
"status": "affected",
"version": "5cd339b370e29b04b85fbb83f40496991465318e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/fpga/intel-m10-bmc-sec-update.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfpga: m10bmc-sec: Fix probe rollback\n\nHandle probe error rollbacks properly to avoid leaks."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:28.654Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/74cff472d3d66db13b5ef64f40dfa42383f71ff7"
},
{
"url": "https://git.kernel.org/stable/c/60ce26d10e5850f33cc76fce52f5377045e75a15"
}
],
"title": "fpga: m10bmc-sec: Fix probe rollback",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49745",
"datePublished": "2025-03-27T16:42:55.754Z",
"dateReserved": "2025-03-27T16:39:17.987Z",
"dateUpdated": "2025-05-04T08:44:28.654Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52938 (GCVE-0-2023-52938)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 12:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: ucsi: Don't attempt to resume the ports before they exist
This will fix null pointer dereference that was caused by
the driver attempting to resume ports that were not yet
registered.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fdd11d7136fd070b3a74d6d8799d9eac28a57fc5",
"status": "affected",
"version": "9222912924fcf56e2d166a503eddbdb5ffd2005f",
"versionType": "git"
},
{
"lessThan": "f82060da749c611ed427523b6d1605d87338aac1",
"status": "affected",
"version": "e0dced9c7d4763fd97c86a13902d135f03cc42eb",
"versionType": "git"
},
{
"status": "affected",
"version": "160416b397c362e37b590040a089604dd1f37de1",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/typec/ucsi/ucsi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6.1.11",
"status": "affected",
"version": "6.1.1",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Don\u0027t attempt to resume the ports before they exist\n\nThis will fix null pointer dereference that was caused by\nthe driver attempting to resume ports that were not yet\nregistered."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:54.805Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fdd11d7136fd070b3a74d6d8799d9eac28a57fc5"
},
{
"url": "https://git.kernel.org/stable/c/f82060da749c611ed427523b6d1605d87338aac1"
}
],
"title": "usb: typec: ucsi: Don\u0027t attempt to resume the ports before they exist",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52938",
"datePublished": "2025-03-27T16:37:17.372Z",
"dateReserved": "2024-08-21T06:07:11.021Z",
"dateUpdated": "2025-05-04T12:49:54.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49756 (GCVE-0-2022-49756)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
phy: usb: sunplus: Fix potential null-ptr-deref in sp_usb_phy_probe()
sp_usb_phy_probe() will call platform_get_resource_byname() that may fail
and return NULL. devm_ioremap() will use usbphy->moon4_res_mem->start as
input, which may causes null-ptr-deref. Check the ret value of
platform_get_resource_byname() to avoid the null-ptr-deref.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/phy/sunplus/phy-sunplus-usb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d838b5c99bcecd593b4710a93fce8fdbf122395b",
"status": "affected",
"version": "99d9ccd97385208b78b3d88e756451f4b70119fc",
"versionType": "git"
},
{
"lessThan": "17eee264ef386ef30a69dd70e36f29893b85c170",
"status": "affected",
"version": "99d9ccd97385208b78b3d88e756451f4b70119fc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/phy/sunplus/phy-sunplus-usb2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: usb: sunplus: Fix potential null-ptr-deref in sp_usb_phy_probe()\n\nsp_usb_phy_probe() will call platform_get_resource_byname() that may fail\nand return NULL. devm_ioremap() will use usbphy-\u003emoon4_res_mem-\u003estart as\ninput, which may causes null-ptr-deref. Check the ret value of\nplatform_get_resource_byname() to avoid the null-ptr-deref."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:43.450Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d838b5c99bcecd593b4710a93fce8fdbf122395b"
},
{
"url": "https://git.kernel.org/stable/c/17eee264ef386ef30a69dd70e36f29893b85c170"
}
],
"title": "phy: usb: sunplus: Fix potential null-ptr-deref in sp_usb_phy_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49756",
"datePublished": "2025-03-27T16:43:03.950Z",
"dateReserved": "2025-03-27T16:39:17.989Z",
"dateUpdated": "2025-05-04T08:44:43.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21890 (GCVE-0-2025-21890)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: fix checksums set in idpf_rx_rsc()
idpf_rx_rsc() uses skb_transport_offset(skb) while the transport header
is not set yet.
This triggers the following warning for CONFIG_DEBUG_NET=y builds.
DEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb))
[ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf
[ 69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth
[ 69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S W 6.14.0-smp-DEV #1697
[ 69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN
[ 69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf
[ 69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748)
[ 69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf
[ 69.261687] ? report_bug (lib/bug.c:?)
[ 69.261690] ? handle_bug (arch/x86/kernel/traps.c:285)
[ 69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309)
[ 69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)
[ 69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf
[ 69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf
[ 69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf
[ 69.261712] __napi_poll (net/core/dev.c:7194)
[ 69.261716] net_rx_action (net/core/dev.c:7265)
[ 69.261718] ? __qdisc_run (net/sched/sch_generic.c:293)
[ 69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288)
[ 69.261726] handle_softirqs (kernel/softirq.c:561)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4279bbebe00ffdbfd1a77567961886e35465cbdc",
"status": "affected",
"version": "3a8845af66edb340ba9210bb8a0da040c7d6e590",
"versionType": "git"
},
{
"lessThan": "57e68f256911f3ab4b997141975561646ccbbb8c",
"status": "affected",
"version": "3a8845af66edb340ba9210bb8a0da040c7d6e590",
"versionType": "git"
},
{
"lessThan": "674fcb4f4a7e3e277417a01788cc6daae47c3804",
"status": "affected",
"version": "3a8845af66edb340ba9210bb8a0da040c7d6e590",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_txrx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix checksums set in idpf_rx_rsc()\n\nidpf_rx_rsc() uses skb_transport_offset(skb) while the transport header\nis not set yet.\n\nThis triggers the following warning for CONFIG_DEBUG_NET=y builds.\n\nDEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb))\n\n[ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261629] Modules linked in: vfat fat dummy bridge intel_uncore_frequency_tpmi intel_uncore_frequency_common intel_vsec_tpmi idpf intel_vsec cdc_ncm cdc_eem cdc_ether usbnet mii xhci_pci xhci_hcd ehci_pci ehci_hcd libeth\n[ 69.261644] CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Tainted: G S W 6.14.0-smp-DEV #1697\n[ 69.261648] Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN\n[ 69.261650] RIP: 0010:idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261677] ? __warn (kernel/panic.c:242 kernel/panic.c:748)\n[ 69.261682] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261687] ? report_bug (lib/bug.c:?)\n[ 69.261690] ? handle_bug (arch/x86/kernel/traps.c:285)\n[ 69.261694] ? exc_invalid_op (arch/x86/kernel/traps.c:309)\n[ 69.261697] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)\n[ 69.261700] ? __pfx_idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:4011) idpf\n[ 69.261704] ? idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf\n[ 69.261708] ? idpf_vport_splitq_napi_poll (drivers/net/ethernet/intel/idpf/idpf_txrx.c:3072) idpf\n[ 69.261712] __napi_poll (net/core/dev.c:7194)\n[ 69.261716] net_rx_action (net/core/dev.c:7265)\n[ 69.261718] ? __qdisc_run (net/sched/sch_generic.c:293)\n[ 69.261721] ? sched_clock (arch/x86/include/asm/preempt.h:84 arch/x86/kernel/tsc.c:288)\n[ 69.261726] handle_softirqs (kernel/softirq.c:561)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:26.126Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4279bbebe00ffdbfd1a77567961886e35465cbdc"
},
{
"url": "https://git.kernel.org/stable/c/57e68f256911f3ab4b997141975561646ccbbb8c"
},
{
"url": "https://git.kernel.org/stable/c/674fcb4f4a7e3e277417a01788cc6daae47c3804"
}
],
"title": "idpf: fix checksums set in idpf_rx_rsc()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21890",
"datePublished": "2025-03-27T14:57:16.525Z",
"dateReserved": "2024-12-29T08:45:45.783Z",
"dateUpdated": "2025-05-04T07:23:26.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53014 (GCVE-0-2023-53014)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: tegra: Fix memory leak in terminate_all()
Terminate vdesc when terminating an ongoing transfer.
This will ensure that the vdesc is present in the desc_terminated list
The descriptor will be freed later in desc_free_list().
This fixes the memory leaks which can happen when terminating an
ongoing transfer.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/tegra186-gpc-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "567128076d554e41609c61b7d447089094ff72c5",
"status": "affected",
"version": "ee17028009d49fffed8cc963455d33b1fd3f1d08",
"versionType": "git"
},
{
"lessThan": "a7a7ee6f5a019ad72852c001abbce50d35e992f2",
"status": "affected",
"version": "ee17028009d49fffed8cc963455d33b1fd3f1d08",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/tegra186-gpc-dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: tegra: Fix memory leak in terminate_all()\n\nTerminate vdesc when terminating an ongoing transfer.\nThis will ensure that the vdesc is present in the desc_terminated list\nThe descriptor will be freed later in desc_free_list().\n\nThis fixes the memory leaks which can happen when terminating an\nongoing transfer."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:37.094Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/567128076d554e41609c61b7d447089094ff72c5"
},
{
"url": "https://git.kernel.org/stable/c/a7a7ee6f5a019ad72852c001abbce50d35e992f2"
}
],
"title": "dmaengine: tegra: Fix memory leak in terminate_all()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53014",
"datePublished": "2025-03-27T16:43:43.172Z",
"dateReserved": "2025-03-27T16:40:15.749Z",
"dateUpdated": "2025-05-04T07:47:37.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21868 (GCVE-0-2025-21868)
Vulnerability from cvelistv5
Published
2025-03-27 13:38
Modified
2025-05-04 07:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: allow small head cache usage with large MAX_SKB_FRAGS values
Sabrina reported the following splat:
WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0
Modules linked in:
CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0
Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe <0f> 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48
RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e
RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6
RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c
R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168
R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007
FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
gro_cells_init+0x1ba/0x270
xfrm_input_init+0x4b/0x2a0
xfrm_init+0x38/0x50
ip_rt_init+0x2d7/0x350
ip_init+0xf/0x20
inet_init+0x406/0x590
do_one_initcall+0x9d/0x2e0
do_initcalls+0x23b/0x280
kernel_init_freeable+0x445/0x490
kernel_init+0x20/0x1d0
ret_from_fork+0x46/0x80
ret_from_fork_asm+0x1a/0x30
</TASK>
irq event stamp: 584330
hardirqs last enabled at (584338): [<ffffffff8168bf87>] __up_console_sem+0x77/0xb0
hardirqs last disabled at (584345): [<ffffffff8168bf6c>] __up_console_sem+0x5c/0xb0
softirqs last enabled at (583242): [<ffffffff833ee96d>] netlink_insert+0x14d/0x470
softirqs last disabled at (583754): [<ffffffff8317c8cd>] netif_napi_add_weight_locked+0x77d/0xba0
on kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024)
is smaller than GRO_MAX_HEAD.
Such built additionally contains the revert of the single page frag cache
so that napi_get_frags() ends up using the page frag allocator, triggering
the splat.
Note that the underlying issue is independent from the mentioned
revert; address it ensuring that the small head cache will fit either TCP
and GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb()
to select kmalloc() usage for any allocation fitting such cache.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/gro.h",
"net/core/gro.c",
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed0ca7d2127c63991cfaf1932b827e3f4f8ee480",
"status": "affected",
"version": "3948b05950fdd64002a5f182c65ba5cf2d53cf71",
"versionType": "git"
},
{
"lessThan": "648e440c98e260dec835e48a5d7a9993477b1f9d",
"status": "affected",
"version": "3948b05950fdd64002a5f182c65ba5cf2d53cf71",
"versionType": "git"
},
{
"lessThan": "14ad6ed30a10afbe91b0749d6378285f4225d482",
"status": "affected",
"version": "3948b05950fdd64002a5f182c65ba5cf2d53cf71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/gro.h",
"net/core/gro.c",
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: allow small head cache usage with large MAX_SKB_FRAGS values\n\nSabrina reported the following splat:\n\n WARNING: CPU: 0 PID: 1 at net/core/dev.c:6935 netif_napi_add_weight_locked+0x8f2/0xba0\n Modules linked in:\n CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.14.0-rc1-net-00092-g011b03359038 #996\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n RIP: 0010:netif_napi_add_weight_locked+0x8f2/0xba0\n Code: e8 c3 e6 6a fe 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc c7 44 24 10 ff ff ff ff e9 8f fb ff ff e8 9e e6 6a fe \u003c0f\u003e 0b e9 d3 fe ff ff e8 92 e6 6a fe 48 8b 04 24 be ff ff ff ff 48\n RSP: 0000:ffffc9000001fc60 EFLAGS: 00010293\n RAX: 0000000000000000 RBX: ffff88806ce48128 RCX: 1ffff11001664b9e\n RDX: ffff888008f00040 RSI: ffffffff8317ca42 RDI: ffff88800b325cb6\n RBP: ffff88800b325c40 R08: 0000000000000001 R09: ffffed100167502c\n R10: ffff88800b3a8163 R11: 0000000000000000 R12: ffff88800ac1c168\n R13: ffff88800ac1c168 R14: ffff88800ac1c168 R15: 0000000000000007\n FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffff888008201000 CR3: 0000000004c94001 CR4: 0000000000370ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \u003cTASK\u003e\n gro_cells_init+0x1ba/0x270\n xfrm_input_init+0x4b/0x2a0\n xfrm_init+0x38/0x50\n ip_rt_init+0x2d7/0x350\n ip_init+0xf/0x20\n inet_init+0x406/0x590\n do_one_initcall+0x9d/0x2e0\n do_initcalls+0x23b/0x280\n kernel_init_freeable+0x445/0x490\n kernel_init+0x20/0x1d0\n ret_from_fork+0x46/0x80\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n irq event stamp: 584330\n hardirqs last enabled at (584338): [\u003cffffffff8168bf87\u003e] __up_console_sem+0x77/0xb0\n hardirqs last disabled at (584345): [\u003cffffffff8168bf6c\u003e] __up_console_sem+0x5c/0xb0\n softirqs last enabled at (583242): [\u003cffffffff833ee96d\u003e] netlink_insert+0x14d/0x470\n softirqs last disabled at (583754): [\u003cffffffff8317c8cd\u003e] netif_napi_add_weight_locked+0x77d/0xba0\n\non kernel built with MAX_SKB_FRAGS=45, where SKB_WITH_OVERHEAD(1024)\nis smaller than GRO_MAX_HEAD.\n\nSuch built additionally contains the revert of the single page frag cache\nso that napi_get_frags() ends up using the page frag allocator, triggering\nthe splat.\n\nNote that the underlying issue is independent from the mentioned\nrevert; address it ensuring that the small head cache will fit either TCP\nand GRO allocation and updating napi_alloc_skb() and __netdev_alloc_skb()\nto select kmalloc() usage for any allocation fitting such cache."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:51.827Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed0ca7d2127c63991cfaf1932b827e3f4f8ee480"
},
{
"url": "https://git.kernel.org/stable/c/648e440c98e260dec835e48a5d7a9993477b1f9d"
},
{
"url": "https://git.kernel.org/stable/c/14ad6ed30a10afbe91b0749d6378285f4225d482"
}
],
"title": "net: allow small head cache usage with large MAX_SKB_FRAGS values",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21868",
"datePublished": "2025-03-27T13:38:21.586Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:22:51.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49740 (GCVE-0-2022-49740)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads
This patch fixes slab-out-of-bounds reads in brcmfmac that occur in
brcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count
value of channel specifications provided by the device is greater than
the length of 'list->element[]', decided by the size of the 'list'
allocated with kzalloc(). The patch adds checks that make the functions
free the buffer and return -EINVAL if that is the case. Note that the
negative return is handled by the caller, brcmf_setup_wiphybands() or
brcmf_cfg80211_attach().
Found by a modified version of syzkaller.
Crash Report from brcmf_construct_chaninfo():
==================================================================
BUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430
Read of size 4 at addr ffff888115f24600 by task kworker/0:2/1896
CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack_lvl+0x57/0x7d
print_address_description.constprop.0.cold+0x93/0x334
kasan_report.cold+0x83/0xdf
brcmf_setup_wiphybands+0x1238/0x1430
brcmf_cfg80211_attach+0x2118/0x3fd0
brcmf_attach+0x389/0xd40
brcmf_usb_probe+0x12de/0x1690
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_set_configuration+0x984/0x1770
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_new_device.cold+0x463/0xf66
hub_event+0x10d5/0x3330
process_one_work+0x873/0x13e0
worker_thread+0x8b/0xd10
kthread+0x379/0x450
ret_from_fork+0x1f/0x30
Allocated by task 1896:
kasan_save_stack+0x1b/0x40
__kasan_kmalloc+0x7c/0x90
kmem_cache_alloc_trace+0x19e/0x330
brcmf_setup_wiphybands+0x290/0x1430
brcmf_cfg80211_attach+0x2118/0x3fd0
brcmf_attach+0x389/0xd40
brcmf_usb_probe+0x12de/0x1690
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_set_configuration+0x984/0x1770
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
bus_for_each_drv+0x123/0x1a0
__device_attach+0x207/0x330
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
usb_new_device.cold+0x463/0xf66
hub_event+0x10d5/0x3330
process_one_work+0x873/0x13e0
worker_thread+0x8b/0xd10
kthread+0x379/0x450
ret_from_fork+0x1f/0x30
The buggy address belongs to the object at ffff888115f24000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1536 bytes inside of
2048-byte region [ffff888115f24000, ffff888115f24800)
Memory state around the buggy address:
ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Crash Report from brcmf_enable_bw40_2g():
==========
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9cf5e99c1ae1a85286a76c9a970202750538394c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "b2e412879595821ff1b5545cbed5f108fba7f5b6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "e4991910f15013db72f6ec0db7038ea67a57052e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f06de1bb6d61f0c18b0213bbc6298960037f9d42",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4920ab131b2dbae7464b72bdcac465d070254209",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads\n\nThis patch fixes slab-out-of-bounds reads in brcmfmac that occur in\nbrcmf_construct_chaninfo() and brcmf_enable_bw40_2g() when the count\nvalue of channel specifications provided by the device is greater than\nthe length of \u0027list-\u003eelement[]\u0027, decided by the size of the \u0027list\u0027\nallocated with kzalloc(). The patch adds checks that make the functions\nfree the buffer and return -EINVAL if that is the case. Note that the\nnegative return is handled by the caller, brcmf_setup_wiphybands() or\nbrcmf_cfg80211_attach().\n\nFound by a modified version of syzkaller.\n\nCrash Report from brcmf_construct_chaninfo():\n==================================================================\nBUG: KASAN: slab-out-of-bounds in brcmf_setup_wiphybands+0x1238/0x1430\nRead of size 4 at addr ffff888115f24600 by task kworker/0:2/1896\n\nCPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G W O 5.14.0+ #132\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n dump_stack_lvl+0x57/0x7d\n print_address_description.constprop.0.cold+0x93/0x334\n kasan_report.cold+0x83/0xdf\n brcmf_setup_wiphybands+0x1238/0x1430\n brcmf_cfg80211_attach+0x2118/0x3fd0\n brcmf_attach+0x389/0xd40\n brcmf_usb_probe+0x12de/0x1690\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_set_configuration+0x984/0x1770\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_new_device.cold+0x463/0xf66\n hub_event+0x10d5/0x3330\n process_one_work+0x873/0x13e0\n worker_thread+0x8b/0xd10\n kthread+0x379/0x450\n ret_from_fork+0x1f/0x30\n\nAllocated by task 1896:\n kasan_save_stack+0x1b/0x40\n __kasan_kmalloc+0x7c/0x90\n kmem_cache_alloc_trace+0x19e/0x330\n brcmf_setup_wiphybands+0x290/0x1430\n brcmf_cfg80211_attach+0x2118/0x3fd0\n brcmf_attach+0x389/0xd40\n brcmf_usb_probe+0x12de/0x1690\n usb_probe_interface+0x25f/0x710\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_set_configuration+0x984/0x1770\n usb_generic_driver_probe+0x69/0x90\n usb_probe_device+0x9c/0x220\n really_probe+0x1be/0xa90\n __driver_probe_device+0x2ab/0x460\n driver_probe_device+0x49/0x120\n __device_attach_driver+0x18a/0x250\n bus_for_each_drv+0x123/0x1a0\n __device_attach+0x207/0x330\n bus_probe_device+0x1a2/0x260\n device_add+0xa61/0x1ce0\n usb_new_device.cold+0x463/0xf66\n hub_event+0x10d5/0x3330\n process_one_work+0x873/0x13e0\n worker_thread+0x8b/0xd10\n kthread+0x379/0x450\n ret_from_fork+0x1f/0x30\n\nThe buggy address belongs to the object at ffff888115f24000\n which belongs to the cache kmalloc-2k of size 2048\nThe buggy address is located 1536 bytes inside of\n 2048-byte region [ffff888115f24000, ffff888115f24800)\n\nMemory state around the buggy address:\n ffff888115f24500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888115f24580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\u003effff888115f24600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n ffff888115f24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888115f24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n==================================================================\n\nCrash Report from brcmf_enable_bw40_2g():\n==========\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:22.376Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9cf5e99c1ae1a85286a76c9a970202750538394c"
},
{
"url": "https://git.kernel.org/stable/c/b2e412879595821ff1b5545cbed5f108fba7f5b6"
},
{
"url": "https://git.kernel.org/stable/c/e4991910f15013db72f6ec0db7038ea67a57052e"
},
{
"url": "https://git.kernel.org/stable/c/f06de1bb6d61f0c18b0213bbc6298960037f9d42"
},
{
"url": "https://git.kernel.org/stable/c/4920ab131b2dbae7464b72bdcac465d070254209"
}
],
"title": "wifi: brcmfmac: Check the count value of channel spec to prevent out-of-bounds reads",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49740",
"datePublished": "2025-03-27T16:42:52.222Z",
"dateReserved": "2025-03-27T16:39:17.986Z",
"dateUpdated": "2025-05-04T08:44:22.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53021 (GCVE-0-2023-53021)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_taprio: fix possible use-after-free
syzbot reported a nasty crash [1] in net_tx_action() which
made little sense until we got a repro.
This repro installs a taprio qdisc, but providing an
invalid TCA_RATE attribute.
qdisc_create() has to destroy the just initialized
taprio qdisc, and taprio_destroy() is called.
However, the hrtimer used by taprio had already fired,
therefore advance_sched() called __netif_schedule().
Then net_tx_action was trying to use a destroyed qdisc.
We can not undo the __netif_schedule(), so we must wait
until one cpu serviced the qdisc before we can proceed.
Many thanks to Alexander Potapenko for his help.
[1]
BUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]
BUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]
BUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]
BUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138
queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]
do_raw_spin_trylock include/linux/spinlock.h:191 [inline]
__raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]
_raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138
spin_trylock include/linux/spinlock.h:359 [inline]
qdisc_run_begin include/net/sch_generic.h:187 [inline]
qdisc_run+0xee/0x540 include/net/pkt_sched.h:125
net_tx_action+0x77c/0x9a0 net/core/dev.c:5086
__do_softirq+0x1cc/0x7fb kernel/softirq.c:571
run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934
smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164
kthread+0x31b/0x430 kernel/kthread.c:376
ret_from_fork+0x1f/0x30
Uninit was created at:
slab_post_alloc_hook mm/slab.h:732 [inline]
slab_alloc_node mm/slub.c:3258 [inline]
__kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970
kmalloc_reserve net/core/skbuff.c:358 [inline]
__alloc_skb+0x346/0xcf0 net/core/skbuff.c:430
alloc_skb include/linux/skbuff.h:1257 [inline]
nlmsg_new include/net/netlink.h:953 [inline]
netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436
netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507
rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
____sys_sendmsg+0xabc/0xe90 net/socket.c:2482
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536
__sys_sendmsg net/socket.c:2565 [inline]
__do_sys_sendmsg net/socket.c:2574 [inline]
__se_sys_sendmsg net/socket.c:2572 [inline]
__x64_sys_sendmsg+0x367/0x540 net/socket.c:2572
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22 Version: 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22 Version: 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22 Version: 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22 Version: 5a781ccbd19e4664babcbe4b4ead7aa2b9283d22 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53021",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T17:01:12.195276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:23.724Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h",
"net/sched/sch_taprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1200388a0b1c3c6fda48d4d2143db8f7e4ef5348",
"status": "affected",
"version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22",
"versionType": "git"
},
{
"lessThan": "c60fe70078d6e515f424cb868d07e00411b27fbc",
"status": "affected",
"version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22",
"versionType": "git"
},
{
"lessThan": "c53acbf2facfdfabdc6e6984a1a38f5d38b606a1",
"status": "affected",
"version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22",
"versionType": "git"
},
{
"lessThan": "d3b2d2820a005e43855fa71b80c4a4b194201c60",
"status": "affected",
"version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22",
"versionType": "git"
},
{
"lessThan": "3a415d59c1dbec9d772dbfab2d2520d98360caae",
"status": "affected",
"version": "5a781ccbd19e4664babcbe4b4ead7aa2b9283d22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/net/sch_generic.h",
"net/sched/sch_taprio.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.20"
},
{
"lessThan": "4.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_taprio: fix possible use-after-free\n\nsyzbot reported a nasty crash [1] in net_tx_action() which\nmade little sense until we got a repro.\n\nThis repro installs a taprio qdisc, but providing an\ninvalid TCA_RATE attribute.\n\nqdisc_create() has to destroy the just initialized\ntaprio qdisc, and taprio_destroy() is called.\n\nHowever, the hrtimer used by taprio had already fired,\ntherefore advance_sched() called __netif_schedule().\n\nThen net_tx_action was trying to use a destroyed qdisc.\n\nWe can not undo the __netif_schedule(), so we must wait\nuntil one cpu serviced the qdisc before we can proceed.\n\nMany thanks to Alexander Potapenko for his help.\n\n[1]\nBUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\nBUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\nBUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\nBUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline]\n do_raw_spin_trylock include/linux/spinlock.h:191 [inline]\n __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]\n _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138\n spin_trylock include/linux/spinlock.h:359 [inline]\n qdisc_run_begin include/net/sch_generic.h:187 [inline]\n qdisc_run+0xee/0x540 include/net/pkt_sched.h:125\n net_tx_action+0x77c/0x9a0 net/core/dev.c:5086\n __do_softirq+0x1cc/0x7fb kernel/softirq.c:571\n run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934\n smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164\n kthread+0x31b/0x430 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30\n\nUninit was created at:\n slab_post_alloc_hook mm/slab.h:732 [inline]\n slab_alloc_node mm/slub.c:3258 [inline]\n __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970\n kmalloc_reserve net/core/skbuff.c:358 [inline]\n __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430\n alloc_skb include/linux/skbuff.h:1257 [inline]\n nlmsg_new include/net/netlink.h:953 [inline]\n netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436\n netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507\n rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108\n netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345\n netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482\n ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536\n __sys_sendmsg net/socket.c:2565 [inline]\n __do_sys_sendmsg net/socket.c:2574 [inline]\n __se_sys_sendmsg net/socket.c:2572 [inline]\n __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:51.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1200388a0b1c3c6fda48d4d2143db8f7e4ef5348"
},
{
"url": "https://git.kernel.org/stable/c/c60fe70078d6e515f424cb868d07e00411b27fbc"
},
{
"url": "https://git.kernel.org/stable/c/c53acbf2facfdfabdc6e6984a1a38f5d38b606a1"
},
{
"url": "https://git.kernel.org/stable/c/d3b2d2820a005e43855fa71b80c4a4b194201c60"
},
{
"url": "https://git.kernel.org/stable/c/3a415d59c1dbec9d772dbfab2d2520d98360caae"
}
],
"title": "net/sched: sch_taprio: fix possible use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53021",
"datePublished": "2025-03-27T16:43:47.860Z",
"dateReserved": "2025-03-27T16:40:15.752Z",
"dateUpdated": "2025-05-04T07:47:51.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52928 (GCVE-0-2023-52928)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Skip invalid kfunc call in backtrack_insn
The verifier skips invalid kfunc call in check_kfunc_call(), which
would be captured in fixup_kfunc_call() if such insn is not eliminated
by dead code elimination. However, this can lead to the following
warning in backtrack_insn(), also see [1]:
------------[ cut here ]------------
verifier backtracking bug
WARNING: CPU: 6 PID: 8646 at kernel/bpf/verifier.c:2756 backtrack_insn
kernel/bpf/verifier.c:2756
__mark_chain_precision kernel/bpf/verifier.c:3065
mark_chain_precision kernel/bpf/verifier.c:3165
adjust_reg_min_max_vals kernel/bpf/verifier.c:10715
check_alu_op kernel/bpf/verifier.c:10928
do_check kernel/bpf/verifier.c:13821 [inline]
do_check_common kernel/bpf/verifier.c:16289
[...]
So make backtracking conservative with this by returning ENOTSUPP.
[1] https://lore.kernel.org/bpf/CACkBjsaXNceR8ZjkLG=dT3P=4A8SBsg0Z5h5PWLryF5=ghKq=g@mail.gmail.com/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e2fac197de2c4c041bdd8982cffb104689113f1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "74eec8266f37aff609db6a2f2b093e56a11c28c4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d3178e8a434b58678d99257c0387810a24042fb6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Skip invalid kfunc call in backtrack_insn\n\nThe verifier skips invalid kfunc call in check_kfunc_call(), which\nwould be captured in fixup_kfunc_call() if such insn is not eliminated\nby dead code elimination. However, this can lead to the following\nwarning in backtrack_insn(), also see [1]:\n\n ------------[ cut here ]------------\n verifier backtracking bug\n WARNING: CPU: 6 PID: 8646 at kernel/bpf/verifier.c:2756 backtrack_insn\n kernel/bpf/verifier.c:2756\n\t__mark_chain_precision kernel/bpf/verifier.c:3065\n\tmark_chain_precision kernel/bpf/verifier.c:3165\n\tadjust_reg_min_max_vals kernel/bpf/verifier.c:10715\n\tcheck_alu_op kernel/bpf/verifier.c:10928\n\tdo_check kernel/bpf/verifier.c:13821 [inline]\n\tdo_check_common kernel/bpf/verifier.c:16289\n [...]\n\nSo make backtracking conservative with this by returning ENOTSUPP.\n\n [1] https://lore.kernel.org/bpf/CACkBjsaXNceR8ZjkLG=dT3P=4A8SBsg0Z5h5PWLryF5=ghKq=g@mail.gmail.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:11.461Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e2fac197de2c4c041bdd8982cffb104689113f1"
},
{
"url": "https://git.kernel.org/stable/c/74eec8266f37aff609db6a2f2b093e56a11c28c4"
},
{
"url": "https://git.kernel.org/stable/c/d3178e8a434b58678d99257c0387810a24042fb6"
}
],
"title": "bpf: Skip invalid kfunc call in backtrack_insn",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52928",
"datePublished": "2025-03-27T16:37:10.471Z",
"dateReserved": "2024-08-21T06:07:11.018Z",
"dateUpdated": "2025-05-04T07:46:11.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52991 (GCVE-0-2023-52991)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix NULL pointer in skb_segment_list
Commit 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.")
introduced UDP listifyed GRO. The segmentation relies on frag_list being
untouched when passing through the network stack. This assumption can be
broken sometimes, where frag_list itself gets pulled into linear area,
leaving frag_list being NULL. When this happens it can trigger
following NULL pointer dereference, and panic the kernel. Reverse the
test condition should fix it.
[19185.577801][ C1] BUG: kernel NULL pointer dereference, address:
...
[19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390
...
[19185.834644][ C1] Call Trace:
[19185.841730][ C1] <TASK>
[19185.848563][ C1] __udp_gso_segment+0x33e/0x510
[19185.857370][ C1] inet_gso_segment+0x15b/0x3e0
[19185.866059][ C1] skb_mac_gso_segment+0x97/0x110
[19185.874939][ C1] __skb_gso_segment+0xb2/0x160
[19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0
[19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90
[19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200
[19185.910003][ C1] ip_local_deliver_finish+0x44/0x60
[19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0
[19185.927834][ C1] process_backlog+0x88/0x130
[19185.935840][ C1] __napi_poll+0x27/0x150
[19185.943447][ C1] net_rx_action+0x27e/0x5f0
[19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]
[19185.960848][ C1] __do_softirq+0xbc/0x25d
[19185.968607][ C1] irq_exit_rcu+0x83/0xb0
[19185.976247][ C1] common_interrupt+0x43/0xa0
[19185.984235][ C1] asm_common_interrupt+0x22/0x40
...
[19186.094106][ C1] </TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6446369fb9f083ce032448c5047da08e298b22e6",
"status": "affected",
"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596",
"versionType": "git"
},
{
"lessThan": "046de74f9af92ae9ffce75fa22a1795223f4fb54",
"status": "affected",
"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596",
"versionType": "git"
},
{
"lessThan": "888dad6f3e85e3b2f8389bd6478f181efc72534d",
"status": "affected",
"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596",
"versionType": "git"
},
{
"lessThan": "876e8ca8366735a604bac86ff7e2732fc9d85d2d",
"status": "affected",
"version": "3a1296a38d0cf62bffb9a03c585cbd5dbf15d596",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.167",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.92",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.10",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix NULL pointer in skb_segment_list\n\nCommit 3a1296a38d0c (\"net: Support GRO/GSO fraglist chaining.\")\nintroduced UDP listifyed GRO. The segmentation relies on frag_list being\nuntouched when passing through the network stack. This assumption can be\nbroken sometimes, where frag_list itself gets pulled into linear area,\nleaving frag_list being NULL. When this happens it can trigger\nfollowing NULL pointer dereference, and panic the kernel. Reverse the\ntest condition should fix it.\n\n[19185.577801][ C1] BUG: kernel NULL pointer dereference, address:\n...\n[19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390\n...\n[19185.834644][ C1] Call Trace:\n[19185.841730][ C1] \u003cTASK\u003e\n[19185.848563][ C1] __udp_gso_segment+0x33e/0x510\n[19185.857370][ C1] inet_gso_segment+0x15b/0x3e0\n[19185.866059][ C1] skb_mac_gso_segment+0x97/0x110\n[19185.874939][ C1] __skb_gso_segment+0xb2/0x160\n[19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0\n[19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90\n[19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200\n[19185.910003][ C1] ip_local_deliver_finish+0x44/0x60\n[19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0\n[19185.927834][ C1] process_backlog+0x88/0x130\n[19185.935840][ C1] __napi_poll+0x27/0x150\n[19185.943447][ C1] net_rx_action+0x27e/0x5f0\n[19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core]\n[19185.960848][ C1] __do_softirq+0xbc/0x25d\n[19185.968607][ C1] irq_exit_rcu+0x83/0xb0\n[19185.976247][ C1] common_interrupt+0x43/0xa0\n[19185.984235][ C1] asm_common_interrupt+0x22/0x40\n...\n[19186.094106][ C1] \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:02.849Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6446369fb9f083ce032448c5047da08e298b22e6"
},
{
"url": "https://git.kernel.org/stable/c/046de74f9af92ae9ffce75fa22a1795223f4fb54"
},
{
"url": "https://git.kernel.org/stable/c/888dad6f3e85e3b2f8389bd6478f181efc72534d"
},
{
"url": "https://git.kernel.org/stable/c/876e8ca8366735a604bac86ff7e2732fc9d85d2d"
}
],
"title": "net: fix NULL pointer in skb_segment_list",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52991",
"datePublished": "2025-03-27T16:43:26.991Z",
"dateReserved": "2025-03-27T16:40:15.741Z",
"dateUpdated": "2025-05-04T07:47:02.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53002 (GCVE-0-2023-53002)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/i915: Fix a memory leak with reused mmap_offset
drm_vma_node_allow() and drm_vma_node_revoke() should be called in
balanced pairs. We call drm_vma_node_allow() once per-file everytime a
user calls mmap_offset, but only call drm_vma_node_revoke once per-file
on each mmap_offset. As the mmap_offset is reused by the client, the
per-file vm_count may remain non-zero and the rbtree leaked.
Call drm_vma_node_allow_once() instead to prevent that memory leak.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_mman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bdc4b4ba7206c452ee81c82fa66e39d0e1780fb",
"status": "affected",
"version": "7865559872074a9ab169c87915504661d630addf",
"versionType": "git"
},
{
"lessThan": "0220e4fe178c3390eb0291cdb34912d66972db8a",
"status": "affected",
"version": "7865559872074a9ab169c87915504661d630addf",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/i915/gem/i915_gem_mman.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915: Fix a memory leak with reused mmap_offset\n\ndrm_vma_node_allow() and drm_vma_node_revoke() should be called in\nbalanced pairs. We call drm_vma_node_allow() once per-file everytime a\nuser calls mmap_offset, but only call drm_vma_node_revoke once per-file\non each mmap_offset. As the mmap_offset is reused by the client, the\nper-file vm_count may remain non-zero and the rbtree leaked.\n\nCall drm_vma_node_allow_once() instead to prevent that memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:17.790Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bdc4b4ba7206c452ee81c82fa66e39d0e1780fb"
},
{
"url": "https://git.kernel.org/stable/c/0220e4fe178c3390eb0291cdb34912d66972db8a"
}
],
"title": "drm/i915: Fix a memory leak with reused mmap_offset",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53002",
"datePublished": "2025-03-27T16:43:34.479Z",
"dateReserved": "2025-03-27T16:40:15.744Z",
"dateUpdated": "2025-05-04T07:47:17.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53004 (GCVE-0-2023-53004)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ovl: fix tmpfile leak
Missed an error cleanup.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/copy_up.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "caa0ea92503f8afa1941f6ac899e5c4e3f6ec8bb",
"status": "affected",
"version": "2b1a77461f1602f870d6fe61fc65610bb8c8dd05",
"versionType": "git"
},
{
"lessThan": "baabaa505563362b71f2637aedd7b807d270656c",
"status": "affected",
"version": "2b1a77461f1602f870d6fe61fc65610bb8c8dd05",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/copy_up.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix tmpfile leak\n\nMissed an error cleanup."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:20.315Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/caa0ea92503f8afa1941f6ac899e5c4e3f6ec8bb"
},
{
"url": "https://git.kernel.org/stable/c/baabaa505563362b71f2637aedd7b807d270656c"
}
],
"title": "ovl: fix tmpfile leak",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53004",
"datePublished": "2025-03-27T16:43:35.854Z",
"dateReserved": "2025-03-27T16:40:15.744Z",
"dateUpdated": "2025-05-04T07:47:20.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49748 (GCVE-0-2022-49748)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 12:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/amd: fix potential integer overflow on shift of a int
The left shift of int 32 bit integer constant 1 is evaluated using 32 bit
arithmetic and then passed as a 64 bit function argument. In the case where
i is 32 or more this can lead to an overflow. Avoid this by shifting
using the BIT_ULL macro instead.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: d8a6a443ff0aea5893f0a7f2726973b496b76420 Version: 471af006a747f1c535c8a8c6c0973c320fe01b22 Version: 471af006a747f1c535c8a8c6c0973c320fe01b22 Version: 471af006a747f1c535c8a8c6c0973c320fe01b22 Version: 471af006a747f1c535c8a8c6c0973c320fe01b22 Version: 3512462036dbe44d88e93e75ee8a993781183ddb |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/events/amd/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fbf7b0e4cef3b5470b610f14fb9faa5ee7f63954",
"status": "affected",
"version": "d8a6a443ff0aea5893f0a7f2726973b496b76420",
"versionType": "git"
},
{
"lessThan": "f84c9b72fb200633774704d8020f769c88a4b249",
"status": "affected",
"version": "471af006a747f1c535c8a8c6c0973c320fe01b22",
"versionType": "git"
},
{
"lessThan": "14cc13e433e1067557435b1adbf05608d7d47a93",
"status": "affected",
"version": "471af006a747f1c535c8a8c6c0973c320fe01b22",
"versionType": "git"
},
{
"lessThan": "a4d01fb87ece45d4164fd725890211ccf9a307a9",
"status": "affected",
"version": "471af006a747f1c535c8a8c6c0973c320fe01b22",
"versionType": "git"
},
{
"lessThan": "08245672cdc6505550d1a5020603b0a8d4a6dcc7",
"status": "affected",
"version": "471af006a747f1c535c8a8c6c0973c320fe01b22",
"versionType": "git"
},
{
"status": "affected",
"version": "3512462036dbe44d88e93e75ee8a993781183ddb",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/events/amd/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "5.4.22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd: fix potential integer overflow on shift of a int\n\nThe left shift of int 32 bit integer constant 1 is evaluated using 32 bit\narithmetic and then passed as a 64 bit function argument. In the case where\ni is 32 or more this can lead to an overflow. Avoid this by shifting\nusing the BIT_ULL macro instead."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:45:12.800Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fbf7b0e4cef3b5470b610f14fb9faa5ee7f63954"
},
{
"url": "https://git.kernel.org/stable/c/f84c9b72fb200633774704d8020f769c88a4b249"
},
{
"url": "https://git.kernel.org/stable/c/14cc13e433e1067557435b1adbf05608d7d47a93"
},
{
"url": "https://git.kernel.org/stable/c/a4d01fb87ece45d4164fd725890211ccf9a307a9"
},
{
"url": "https://git.kernel.org/stable/c/08245672cdc6505550d1a5020603b0a8d4a6dcc7"
}
],
"title": "perf/x86/amd: fix potential integer overflow on shift of a int",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49748",
"datePublished": "2025-03-27T16:42:57.784Z",
"dateReserved": "2025-03-27T16:39:17.987Z",
"dateUpdated": "2025-05-04T12:45:12.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52939 (GCVE-0-2023-52939)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty_slowpath()
As commit 18365225f044 ("hwpoison, memcg: forcibly uncharge LRU pages"),
hwpoison will forcibly uncharg a LRU hwpoisoned page, the folio_memcg
could be NULl, then, mem_cgroup_track_foreign_dirty_slowpath() could
occurs a NULL pointer dereference, let's do not record the foreign
writebacks for folio memcg is null in mem_cgroup_track_foreign_dirty() to
fix it.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"include/linux/memcontrol.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b79ba5953f6fdc5559389ad415620bffc24f024b",
"status": "affected",
"version": "97b27821b4854ca744946dae32a3f2fd55bcd5bc",
"versionType": "git"
},
{
"lessThan": "ac86f547ca1002aec2ef66b9e64d03f45bbbfbb9",
"status": "affected",
"version": "97b27821b4854ca744946dae32a3f2fd55bcd5bc",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"include/linux/memcontrol.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty_slowpath()\n\nAs commit 18365225f044 (\"hwpoison, memcg: forcibly uncharge LRU pages\"),\nhwpoison will forcibly uncharg a LRU hwpoisoned page, the folio_memcg\ncould be NULl, then, mem_cgroup_track_foreign_dirty_slowpath() could\noccurs a NULL pointer dereference, let\u0027s do not record the foreign\nwritebacks for folio memcg is null in mem_cgroup_track_foreign_dirty() to\nfix it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:25.338Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b79ba5953f6fdc5559389ad415620bffc24f024b"
},
{
"url": "https://git.kernel.org/stable/c/ac86f547ca1002aec2ef66b9e64d03f45bbbfbb9"
}
],
"title": "mm: memcg: fix NULL pointer in mem_cgroup_track_foreign_dirty_slowpath()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52939",
"datePublished": "2025-03-27T16:37:18.026Z",
"dateReserved": "2024-08-21T06:07:11.022Z",
"dateUpdated": "2025-05-04T07:46:25.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53018 (GCVE-0-2023-53018)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_conn: Fix memory leaks
When hci_cmd_sync_queue() failed in hci_le_terminate_big() or
hci_le_big_terminate(), the memory pointed by variable d is not freed,
which will cause memory leak. Add release process to error path.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f51a825b9f730a782aa768454906b4468e67b667",
"status": "affected",
"version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
"versionType": "git"
},
{
"lessThan": "3aa21311f36d8a2730c7ccef37235e951f23927b",
"status": "affected",
"version": "eca0ae4aea66914515e5e3098ea051b518ee5316",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_conn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_conn: Fix memory leaks\n\nWhen hci_cmd_sync_queue() failed in hci_le_terminate_big() or\nhci_le_big_terminate(), the memory pointed by variable d is not freed,\nwhich will cause memory leak. Add release process to error path."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:47.069Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f51a825b9f730a782aa768454906b4468e67b667"
},
{
"url": "https://git.kernel.org/stable/c/3aa21311f36d8a2730c7ccef37235e951f23927b"
}
],
"title": "Bluetooth: hci_conn: Fix memory leaks",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53018",
"datePublished": "2025-03-27T16:43:45.849Z",
"dateReserved": "2025-03-27T16:40:15.751Z",
"dateUpdated": "2025-05-04T07:47:47.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21870 (GCVE-0-2025-21870)
Vulnerability from cvelistv5
Published
2025-03-27 13:38
Modified
2025-05-04 07:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers
Other, non DAI copier widgets could have the same stream name (sname) as
the ALH copier and in that case the copier->data is NULL, no alh_data is
attached, which could lead to NULL pointer dereference.
We could check for this NULL pointer in sof_ipc4_prepare_copier_module()
and avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai()
will miscalculate the ALH device count, causing broken audio.
The correct fix is to harden the matching logic by making sure that the
1. widget is a DAI widget - so dai = w->private is valid
2. the dai (and thus the copier) is ALH copier
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/ipc4-topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "87c8768a96092ce75cd47fe076db5080db7ac515",
"status": "affected",
"version": "a150345aa758492e05d2934f318ce7c2566b1cfe",
"versionType": "git"
},
{
"lessThan": "93c6c2e5801aab09ef1ef99f248f3cd323c3f152",
"status": "affected",
"version": "a150345aa758492e05d2934f318ce7c2566b1cfe",
"versionType": "git"
},
{
"lessThan": "6fd60136d256b3b948333ebdb3835f41a95ab7ef",
"status": "affected",
"version": "a150345aa758492e05d2934f318ce7c2566b1cfe",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/ipc4-topology.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers\n\nOther, non DAI copier widgets could have the same stream name (sname) as\nthe ALH copier and in that case the copier-\u003edata is NULL, no alh_data is\nattached, which could lead to NULL pointer dereference.\nWe could check for this NULL pointer in sof_ipc4_prepare_copier_module()\nand avoid the crash, but a similar loop in sof_ipc4_widget_setup_comp_dai()\nwill miscalculate the ALH device count, causing broken audio.\n\nThe correct fix is to harden the matching logic by making sure that the\n1. widget is a DAI widget - so dai = w-\u003eprivate is valid\n2. the dai (and thus the copier) is ALH copier"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:54.538Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/87c8768a96092ce75cd47fe076db5080db7ac515"
},
{
"url": "https://git.kernel.org/stable/c/93c6c2e5801aab09ef1ef99f248f3cd323c3f152"
},
{
"url": "https://git.kernel.org/stable/c/6fd60136d256b3b948333ebdb3835f41a95ab7ef"
}
],
"title": "ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21870",
"datePublished": "2025-03-27T13:38:22.849Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:22:54.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52942 (GCVE-0-2023-52942)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cgroup/cpuset: Fix wrong check in update_parent_subparts_cpumask()
It was found that the check to see if a partition could use up all
the cpus from the parent cpuset in update_parent_subparts_cpumask()
was incorrect. As a result, it is possible to leave parent with no
effective cpu left even if there are tasks in the parent cpuset. This
can lead to system panic as reported in [1].
Fix this probem by updating the check to fail the enabling the partition
if parent's effective_cpus is a subset of the child's cpus_allowed.
Also record the error code when an error happens in update_prstate()
and add a test case where parent partition and child have the same cpu
list and parent has task. Enabling partition in the child will fail in
this case.
[1] https://www.spinics.net/lists/cgroups/msg36254.html
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/cpuset.c",
"tools/testing/selftests/cgroup/test_cpuset_prs.sh"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a2ab7f2cf5ef8f0c6212a246e681d1fe358cec1f",
"status": "affected",
"version": "f0af1bfc27b52a4d42510051154c61bd176a8f06",
"versionType": "git"
},
{
"lessThan": "e5ae8803847b80fe9d744a3174abe2b7bfed222a",
"status": "affected",
"version": "f0af1bfc27b52a4d42510051154c61bd176a8f06",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/cgroup/cpuset.c",
"tools/testing/selftests/cgroup/test_cpuset_prs.sh"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/cpuset: Fix wrong check in update_parent_subparts_cpumask()\n\nIt was found that the check to see if a partition could use up all\nthe cpus from the parent cpuset in update_parent_subparts_cpumask()\nwas incorrect. As a result, it is possible to leave parent with no\neffective cpu left even if there are tasks in the parent cpuset. This\ncan lead to system panic as reported in [1].\n\nFix this probem by updating the check to fail the enabling the partition\nif parent\u0027s effective_cpus is a subset of the child\u0027s cpus_allowed.\n\nAlso record the error code when an error happens in update_prstate()\nand add a test case where parent partition and child have the same cpu\nlist and parent has task. Enabling partition in the child will fail in\nthis case.\n\n[1] https://www.spinics.net/lists/cgroups/msg36254.html"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:34.623Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a2ab7f2cf5ef8f0c6212a246e681d1fe358cec1f"
},
{
"url": "https://git.kernel.org/stable/c/e5ae8803847b80fe9d744a3174abe2b7bfed222a"
}
],
"title": "cgroup/cpuset: Fix wrong check in update_parent_subparts_cpumask()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52942",
"datePublished": "2025-03-27T16:37:20.155Z",
"dateReserved": "2024-08-21T06:07:11.022Z",
"dateUpdated": "2025-05-04T07:46:34.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53032 (GCVE-0-2023-53032)
Vulnerability from cvelistv5
Published
2025-03-27 16:44
Modified
2025-05-04 07:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of
an arithmetic expression 2 << (netmask - mask_bits - 1) is subject
to overflow due to a failure casting operands to a larger data type
before performing the arithmetic.
Note that it's harmless since the value will be checked at the next step.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: b9fed748185a96b7cfe74afac4bd228e8af16f01 Version: b9fed748185a96b7cfe74afac4bd228e8af16f01 Version: b9fed748185a96b7cfe74afac4bd228e8af16f01 Version: b9fed748185a96b7cfe74afac4bd228e8af16f01 Version: b9fed748185a96b7cfe74afac4bd228e8af16f01 Version: b9fed748185a96b7cfe74afac4bd228e8af16f01 Version: b9fed748185a96b7cfe74afac4bd228e8af16f01 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipset/ip_set_bitmap_ip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e137d9bb26bd85ce07323a38e38ceb0b160db841",
"status": "affected",
"version": "b9fed748185a96b7cfe74afac4bd228e8af16f01",
"versionType": "git"
},
{
"lessThan": "dfd834ccc1b88bbbab81b9046a3a539dd0c2d14f",
"status": "affected",
"version": "b9fed748185a96b7cfe74afac4bd228e8af16f01",
"versionType": "git"
},
{
"lessThan": "feefb33eefa166fc3e0fd17547b0bc0cb3baced9",
"status": "affected",
"version": "b9fed748185a96b7cfe74afac4bd228e8af16f01",
"versionType": "git"
},
{
"lessThan": "4e6a70fd840400e3a2e784a6673968a3eb2431c0",
"status": "affected",
"version": "b9fed748185a96b7cfe74afac4bd228e8af16f01",
"versionType": "git"
},
{
"lessThan": "511cf17b2447fc41cfef8d71936e1fa53e395c1e",
"status": "affected",
"version": "b9fed748185a96b7cfe74afac4bd228e8af16f01",
"versionType": "git"
},
{
"lessThan": "e88865876d47c790be0d5e23973499d75d034364",
"status": "affected",
"version": "b9fed748185a96b7cfe74afac4bd228e8af16f01",
"versionType": "git"
},
{
"lessThan": "9ea4b476cea1b7d461d16dda25ca3c7e616e2d15",
"status": "affected",
"version": "b9fed748185a96b7cfe74afac4bd228e8af16f01",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/ipset/ip_set_bitmap_ip.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.7"
},
{
"lessThan": "3.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.303",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.270",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.164",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.89",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.7",
"versionStartIncluding": "3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.\n\nWhen first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of\nan arithmetic expression 2 \u003c\u003c (netmask - mask_bits - 1) is subject\nto overflow due to a failure casting operands to a larger data type\nbefore performing the arithmetic.\n\nNote that it\u0027s harmless since the value will be checked at the next step.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with SVACE."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:48:08.190Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e137d9bb26bd85ce07323a38e38ceb0b160db841"
},
{
"url": "https://git.kernel.org/stable/c/dfd834ccc1b88bbbab81b9046a3a539dd0c2d14f"
},
{
"url": "https://git.kernel.org/stable/c/feefb33eefa166fc3e0fd17547b0bc0cb3baced9"
},
{
"url": "https://git.kernel.org/stable/c/4e6a70fd840400e3a2e784a6673968a3eb2431c0"
},
{
"url": "https://git.kernel.org/stable/c/511cf17b2447fc41cfef8d71936e1fa53e395c1e"
},
{
"url": "https://git.kernel.org/stable/c/e88865876d47c790be0d5e23973499d75d034364"
},
{
"url": "https://git.kernel.org/stable/c/9ea4b476cea1b7d461d16dda25ca3c7e616e2d15"
}
],
"title": "netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53032",
"datePublished": "2025-03-27T16:44:00.286Z",
"dateReserved": "2025-03-27T16:40:15.757Z",
"dateUpdated": "2025-05-04T07:48:08.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-0179 (GCVE-0-2023-0179)
Vulnerability from cvelistv5
Published
2023-03-27 00:00
Modified
2025-02-19 16:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:02:43.760Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161713"
},
{
"tags": [
"x_transferred"
],
"url": "https://seclists.org/oss-sec/2023/q1/20"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/171601/Kernel-Live-Patch-Security-Notice-LNS-0093-1.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230511-0003/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:11:54.896562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:12:13.054Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "unknown"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-11T00:00:00.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2161713"
},
{
"url": "https://seclists.org/oss-sec/2023/q1/20"
},
{
"url": "http://packetstormsecurity.com/files/171601/Kernel-Live-Patch-Security-Notice-LNS-0093-1.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230511-0003/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-0179",
"datePublished": "2023-03-27T00:00:00.000Z",
"dateReserved": "2023-01-11T00:00:00.000Z",
"dateUpdated": "2025-02-19T16:12:13.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52973 (GCVE-0-2023-52973)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF
After a call to console_unlock() in vcs_read() the vc_data struct can be
freed by vc_deallocate(). Because of that, the struct vc_data pointer
load must be done at the top of while loop in vcs_read() to avoid a UAF
when vcs_size() is called.
Syzkaller reported a UAF in vcs_size().
BUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)
Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537
CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1
Hardware name: Red Hat KVM, BIOS 1.15.0-2.module
Call Trace:
<TASK>
__asan_report_load4_noabort (mm/kasan/report_generic.c:350)
vcs_size (drivers/tty/vt/vc_screen.c:215)
vcs_read (drivers/tty/vt/vc_screen.c:415)
vfs_read (fs/read_write.c:468 fs/read_write.c:450)
...
</TASK>
Allocated by task 1191:
...
kmalloc_trace (mm/slab_common.c:1069)
vc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720
drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108)
con_install (drivers/tty/vt/vt.c:3383)
tty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413
drivers/tty/tty_io.c:1390)
tty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126)
chrdev_open (fs/char_dev.c:415)
do_dentry_open (fs/open.c:883)
vfs_open (fs/open.c:1014)
...
Freed by task 1548:
...
kfree (mm/slab_common.c:1021)
vc_port_destruct (drivers/tty/vt/vt.c:1094)
tty_port_destructor (drivers/tty/tty_port.c:296)
tty_port_put (drivers/tty/tty_port.c:312)
vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))
vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)
tty_ioctl (drivers/tty/tty_io.c:2776)
...
The buggy address belongs to the object at ffff888113747800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 424 bytes inside of
1024-byte region [ffff888113747800, ffff888113747c00)
The buggy address belongs to the physical page:
page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x113740
head:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0
compound_pincount:0
anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff Version: ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52973",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:59:54.662104Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:22.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tty/vt/vc_screen.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "af79ea9a2443016f64d8fd8d72020cc874f0e066",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "6332f52f44b9776568bf3c0b714ddfb0bb175e78",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "d0332cbf53dad06a22189cc341391237f4ea6d9f",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "55515d7d8743b71b80bfe68e89eb9d92630626ab",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "fc9e27f3ba083534b8bbf72ab0f5c810ffdc7d18",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "8506f16aae9daf354e3732bcfd447e2a97f023df",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
},
{
"lessThan": "226fae124b2dac217ea5436060d623ff3385bc34",
"status": "affected",
"version": "ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tty/vt/vc_screen.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.329",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.329",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF\n\nAfter a call to console_unlock() in vcs_read() the vc_data struct can be\nfreed by vc_deallocate(). Because of that, the struct vc_data pointer\nload must be done at the top of while loop in vcs_read() to avoid a UAF\nwhen vcs_size() is called.\n\nSyzkaller reported a UAF in vcs_size().\n\nBUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)\nRead of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537\n\nCPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1\nHardware name: Red Hat KVM, BIOS 1.15.0-2.module\nCall Trace:\n \u003cTASK\u003e\n__asan_report_load4_noabort (mm/kasan/report_generic.c:350)\nvcs_size (drivers/tty/vt/vc_screen.c:215)\nvcs_read (drivers/tty/vt/vc_screen.c:415)\nvfs_read (fs/read_write.c:468 fs/read_write.c:450)\n...\n \u003c/TASK\u003e\n\nAllocated by task 1191:\n...\nkmalloc_trace (mm/slab_common.c:1069)\nvc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720\n drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108)\ncon_install (drivers/tty/vt/vt.c:3383)\ntty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413\n drivers/tty/tty_io.c:1390)\ntty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126)\nchrdev_open (fs/char_dev.c:415)\ndo_dentry_open (fs/open.c:883)\nvfs_open (fs/open.c:1014)\n...\n\nFreed by task 1548:\n...\nkfree (mm/slab_common.c:1021)\nvc_port_destruct (drivers/tty/vt/vt.c:1094)\ntty_port_destructor (drivers/tty/tty_port.c:296)\ntty_port_put (drivers/tty/tty_port.c:312)\nvt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))\nvt_ioctl (drivers/tty/vt/vt_ioctl.c:903)\ntty_ioctl (drivers/tty/tty_io.c:2776)\n...\n\nThe buggy address belongs to the object at ffff888113747800\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 424 bytes inside of\n 1024-byte region [ffff888113747800, ffff888113747c00)\n\nThe buggy address belongs to the physical page:\npage:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000\n index:0x0 pfn:0x113740\nhead:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0\n compound_pincount:0\nanon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\nraw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001\nraw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\u003e ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================\nDisabling lock debugging due to kernel taint"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:35.811Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/af79ea9a2443016f64d8fd8d72020cc874f0e066"
},
{
"url": "https://git.kernel.org/stable/c/6332f52f44b9776568bf3c0b714ddfb0bb175e78"
},
{
"url": "https://git.kernel.org/stable/c/d0332cbf53dad06a22189cc341391237f4ea6d9f"
},
{
"url": "https://git.kernel.org/stable/c/55515d7d8743b71b80bfe68e89eb9d92630626ab"
},
{
"url": "https://git.kernel.org/stable/c/fc9e27f3ba083534b8bbf72ab0f5c810ffdc7d18"
},
{
"url": "https://git.kernel.org/stable/c/8506f16aae9daf354e3732bcfd447e2a97f023df"
},
{
"url": "https://git.kernel.org/stable/c/226fae124b2dac217ea5436060d623ff3385bc34"
}
],
"title": "vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52973",
"datePublished": "2025-03-27T16:43:12.756Z",
"dateReserved": "2025-03-27T16:40:15.737Z",
"dateUpdated": "2025-05-04T07:46:35.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49743 (GCVE-0-2022-49743)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ovl: Use "buf" flexible array for memcpy() destination
The "buf" flexible array needs to be the memcpy() destination to avoid
false positive run-time warning from the recent FORTIFY_SOURCE
hardening:
memcpy: detected field-spanning write (size 93) of single field "&fh->fb"
at fs/overlayfs/export.c:799 (size 21)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/export.c",
"fs/overlayfs/overlayfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a77141a06367825d639ac51b04703d551163e36c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "07a96977b2f462337a9121302de64277b8747ab1",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "cf8aa9bf97cadf85745506c6a3e244b22c268d63",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/overlayfs/export.c",
"fs/overlayfs/overlayfs.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: Use \"buf\" flexible array for memcpy() destination\n\nThe \"buf\" flexible array needs to be the memcpy() destination to avoid\nfalse positive run-time warning from the recent FORTIFY_SOURCE\nhardening:\n\n memcpy: detected field-spanning write (size 93) of single field \"\u0026fh-\u003efb\"\n at fs/overlayfs/export.c:799 (size 21)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:26.260Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a77141a06367825d639ac51b04703d551163e36c"
},
{
"url": "https://git.kernel.org/stable/c/07a96977b2f462337a9121302de64277b8747ab1"
},
{
"url": "https://git.kernel.org/stable/c/cf8aa9bf97cadf85745506c6a3e244b22c268d63"
}
],
"title": "ovl: Use \"buf\" flexible array for memcpy() destination",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49743",
"datePublished": "2025-03-27T16:42:54.289Z",
"dateReserved": "2025-03-27T16:39:17.987Z",
"dateUpdated": "2025-05-04T08:44:26.260Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53030 (GCVE-0-2023-53030)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
octeontx2-pf: Avoid use of GFP_KERNEL in atomic context
Using GFP_KERNEL in preemption disable context, causing below warning
when CONFIG_DEBUG_ATOMIC_SLEEP is enabled.
[ 32.542271] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274
[ 32.550883] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0
[ 32.558707] preempt_count: 1, expected: 0
[ 32.562710] RCU nest depth: 0, expected: 0
[ 32.566800] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc2-00269-gae9dcb91c606 #7
[ 32.576188] Hardware name: Marvell CN106XX board (DT)
[ 32.581232] Call trace:
[ 32.583670] dump_backtrace.part.0+0xe0/0xf0
[ 32.587937] show_stack+0x18/0x30
[ 32.591245] dump_stack_lvl+0x68/0x84
[ 32.594900] dump_stack+0x18/0x34
[ 32.598206] __might_resched+0x12c/0x160
[ 32.602122] __might_sleep+0x48/0xa0
[ 32.605689] __kmem_cache_alloc_node+0x2b8/0x2e0
[ 32.610301] __kmalloc+0x58/0x190
[ 32.613610] otx2_sq_aura_pool_init+0x1a8/0x314
[ 32.618134] otx2_open+0x1d4/0x9d0
To avoid use of GFP_ATOMIC for memory allocation, disable preemption
after all memory allocation is done.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2827c4eb429db64befdca11362e2b1c5f524f6ba",
"status": "affected",
"version": "6ea5273c71dd2d07c0a2459594eb34bc087939f7",
"versionType": "git"
},
{
"lessThan": "1eb57b87f106c90cee6b2a56a10f2e29c7a25f3e",
"status": "affected",
"version": "667ce030bdfb62a86266444b2c3fd6ab98b9df9b",
"versionType": "git"
},
{
"lessThan": "87b93b678e95c7d93fe6a55b0e0fbda26d8c7760",
"status": "affected",
"version": "4af1b64f80fbe1275fb02c5f1c0cef099a4a231f",
"versionType": "git"
},
{
"status": "affected",
"version": "b754dc7c933dd9464223f64b10d33d68ab086cc6",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.91",
"status": "affected",
"version": "5.15.87",
"versionType": "semver"
},
{
"lessThan": "6.1.8",
"status": "affected",
"version": "6.1.5",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.15.87",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.8",
"versionStartIncluding": "6.1.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-pf: Avoid use of GFP_KERNEL in atomic context\n\nUsing GFP_KERNEL in preemption disable context, causing below warning\nwhen CONFIG_DEBUG_ATOMIC_SLEEP is enabled.\n\n[ 32.542271] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274\n[ 32.550883] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: swapper/0\n[ 32.558707] preempt_count: 1, expected: 0\n[ 32.562710] RCU nest depth: 0, expected: 0\n[ 32.566800] CPU: 3 PID: 1 Comm: swapper/0 Tainted: G W 6.2.0-rc2-00269-gae9dcb91c606 #7\n[ 32.576188] Hardware name: Marvell CN106XX board (DT)\n[ 32.581232] Call trace:\n[ 32.583670] dump_backtrace.part.0+0xe0/0xf0\n[ 32.587937] show_stack+0x18/0x30\n[ 32.591245] dump_stack_lvl+0x68/0x84\n[ 32.594900] dump_stack+0x18/0x34\n[ 32.598206] __might_resched+0x12c/0x160\n[ 32.602122] __might_sleep+0x48/0xa0\n[ 32.605689] __kmem_cache_alloc_node+0x2b8/0x2e0\n[ 32.610301] __kmalloc+0x58/0x190\n[ 32.613610] otx2_sq_aura_pool_init+0x1a8/0x314\n[ 32.618134] otx2_open+0x1d4/0x9d0\n\nTo avoid use of GFP_ATOMIC for memory allocation, disable preemption\nafter all memory allocation is done."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:10.138Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2827c4eb429db64befdca11362e2b1c5f524f6ba"
},
{
"url": "https://git.kernel.org/stable/c/1eb57b87f106c90cee6b2a56a10f2e29c7a25f3e"
},
{
"url": "https://git.kernel.org/stable/c/87b93b678e95c7d93fe6a55b0e0fbda26d8c7760"
}
],
"title": "octeontx2-pf: Avoid use of GFP_KERNEL in atomic context",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53030",
"datePublished": "2025-03-27T16:43:58.921Z",
"dateReserved": "2025-03-27T16:40:15.757Z",
"dateUpdated": "2025-05-04T12:50:10.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53006 (GCVE-0-2023-53006)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix oops due to uncleared server->smbd_conn in reconnect
In smbd_destroy(), clear the server->smbd_conn pointer after freeing the
smbd_connection struct that it points to so that reconnection doesn't get
confused.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c Version: 8ef130f9ec27973f7b49e20c5a3b9134ca33026c |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/smbdirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a9640c0b268405f2540e8203a545e930ea88bb7d",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
},
{
"lessThan": "91be54849d5392050f5b847b42bd5e6221551ac8",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
},
{
"lessThan": "e037baee16e0b9ace7e730888fcae9cec11daff2",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
},
{
"lessThan": "4b83bc6f87eedab4599b0123e572a422689444be",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
},
{
"lessThan": "5109607a4ece7cd8536172bf7549eb4dce1f3576",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
},
{
"lessThan": "b7ab9161cf5ddc42a288edf9d1a61f3bdffe17c7",
"status": "affected",
"version": "8ef130f9ec27973f7b49e20c5a3b9134ca33026c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/smbdirect.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.16"
},
{
"lessThan": "4.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix oops due to uncleared server-\u003esmbd_conn in reconnect\n\nIn smbd_destroy(), clear the server-\u003esmbd_conn pointer after freeing the\nsmbd_connection struct that it points to so that reconnection doesn\u0027t get\nconfused."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:22.461Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a9640c0b268405f2540e8203a545e930ea88bb7d"
},
{
"url": "https://git.kernel.org/stable/c/91be54849d5392050f5b847b42bd5e6221551ac8"
},
{
"url": "https://git.kernel.org/stable/c/e037baee16e0b9ace7e730888fcae9cec11daff2"
},
{
"url": "https://git.kernel.org/stable/c/4b83bc6f87eedab4599b0123e572a422689444be"
},
{
"url": "https://git.kernel.org/stable/c/5109607a4ece7cd8536172bf7549eb4dce1f3576"
},
{
"url": "https://git.kernel.org/stable/c/b7ab9161cf5ddc42a288edf9d1a61f3bdffe17c7"
}
],
"title": "cifs: Fix oops due to uncleared server-\u003esmbd_conn in reconnect",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53006",
"datePublished": "2025-03-27T16:43:37.225Z",
"dateReserved": "2025-03-27T16:40:15.745Z",
"dateUpdated": "2025-05-04T07:47:22.461Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21879 (GCVE-0-2025-21879)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-07-06 09:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free on inode when scanning root during em shrinking
At btrfs_scan_root() we are accessing the inode's root (and fs_info) in a
call to btrfs_fs_closing() after we have scheduled the inode for a delayed
iput, and that can result in a use-after-free on the inode in case the
cleaner kthread does the iput before we dereference the inode in the call
to btrfs_fs_closing().
Fix this by using the fs_info stored already in a local variable instead
of doing inode->root->fs_info.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:22:49.038837Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:31:59.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "07836bc18f4ae42da4e922244f4685561c18755e",
"status": "affected",
"version": "fef55c4d9c9c22264d2b2ceae1e26922cb6129a5",
"versionType": "git"
},
{
"lessThan": "5e79d26014f9386387575b9ed60d342057cee49b",
"status": "affected",
"version": "1020443840569535f6025a855958f07ea3eebf71",
"versionType": "git"
},
{
"lessThan": "59f37036bb7ab3d554c24abc856aabca01126414",
"status": "affected",
"version": "1020443840569535f6025a855958f07ea3eebf71",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/btrfs/extent_map.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free on inode when scanning root during em shrinking\n\nAt btrfs_scan_root() we are accessing the inode\u0027s root (and fs_info) in a\ncall to btrfs_fs_closing() after we have scheduled the inode for a delayed\niput, and that can result in a use-after-free on the inode in case the\ncleaner kthread does the iput before we dereference the inode in the call\nto btrfs_fs_closing().\n\nFix this by using the fs_info stored already in a local variable instead\nof doing inode-\u003eroot-\u003efs_info."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-06T09:08:49.875Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/07836bc18f4ae42da4e922244f4685561c18755e"
},
{
"url": "https://git.kernel.org/stable/c/5e79d26014f9386387575b9ed60d342057cee49b"
},
{
"url": "https://git.kernel.org/stable/c/59f37036bb7ab3d554c24abc856aabca01126414"
}
],
"title": "btrfs: fix use-after-free on inode when scanning root during em shrinking",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21879",
"datePublished": "2025-03-27T14:57:08.929Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-07-06T09:08:49.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49755 (GCVE-0-2022-49755)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
While performing fast composition switch, there is a possibility that the
process of ffs_ep0_write/ffs_ep0_read get into a race condition
due to ep0req being freed up from functionfs_unbind.
Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait
by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't
bounded so it can go ahead and mark the ep0req to NULL, and since there
is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.
Fix this by making a serialized execution between the two functions using
a mutex_lock(ffs->mutex).
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 Version: ddf8abd2599491cbad959c700b90ba72a5dce8d0 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-49755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T15:22:31.876200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T15:31:59.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "facf353c9e8d7885b686d9a4b173d4e0af6441d2",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "a8d40942df074f4ebcb9bd3413596d92f323b064",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "6dd9ea05534f323668db94fcc2726c7a84547e78",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "ae8e136bcaae96163b5821984de1036efc9abb1a",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "6aee197b7fbcd61596a78b47d553f2f99111f217",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
},
{
"lessThan": "6a19da111057f69214b97c62fb0ac59023970850",
"status": "affected",
"version": "ddf8abd2599491cbad959c700b90ba72a5dce8d0",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_fs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.35"
},
{
"lessThan": "2.6.35",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "2.6.35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.35",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait\n\nWhile performing fast composition switch, there is a possibility that the\nprocess of ffs_ep0_write/ffs_ep0_read get into a race condition\ndue to ep0req being freed up from functionfs_unbind.\n\nConsider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait\nby taking a lock \u0026ffs-\u003eev.waitq.lock. However, the functionfs_unbind isn\u0027t\nbounded so it can go ahead and mark the ep0req to NULL, and since there\nis no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.\n\nFix this by making a serialized execution between the two functions using\na mutex_lock(ffs-\u003emutex)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:41.827Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/facf353c9e8d7885b686d9a4b173d4e0af6441d2"
},
{
"url": "https://git.kernel.org/stable/c/e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4"
},
{
"url": "https://git.kernel.org/stable/c/a8d40942df074f4ebcb9bd3413596d92f323b064"
},
{
"url": "https://git.kernel.org/stable/c/6dd9ea05534f323668db94fcc2726c7a84547e78"
},
{
"url": "https://git.kernel.org/stable/c/ae8e136bcaae96163b5821984de1036efc9abb1a"
},
{
"url": "https://git.kernel.org/stable/c/6aee197b7fbcd61596a78b47d553f2f99111f217"
},
{
"url": "https://git.kernel.org/stable/c/6a19da111057f69214b97c62fb0ac59023970850"
}
],
"title": "usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49755",
"datePublished": "2025-03-27T16:43:02.950Z",
"dateReserved": "2025-03-27T16:39:17.988Z",
"dateUpdated": "2025-05-04T08:44:41.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52983 (GCVE-0-2023-52983)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
block, bfq: fix uaf for bfqq in bic_set_bfqq()
After commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"),
bic->bfqq will be accessed in bic_set_bfqq(), however, in some context
bic->bfqq will be freed, and bic_set_bfqq() is called with the freed
bic->bfqq.
Fix the problem by always freeing bfqq after bic_set_bfqq().
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a Version: 094f3d9314d67691cb21ba091c1b528f6e3c4893 Version: 761564d93c8265f65543acf0a576b32d66bfa26a Version: 64dc8c732f5c2b406cc752e6aaa1bd5471159cab Version: b22fd72bfebda3956efc4431b60ddfc0a51e03e0 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:59:42.552227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:22.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c",
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f77f3dab5066a7c9da73d72d1eee895ff84a8d5",
"status": "affected",
"version": "5533742c7cb1bc9b1f0bf401cc397d44a3a9e07a",
"versionType": "git"
},
{
"lessThan": "511c922c5bf6c8a166bea826e702336bc2424140",
"status": "affected",
"version": "094f3d9314d67691cb21ba091c1b528f6e3c4893",
"versionType": "git"
},
{
"lessThan": "cb1876fc33af26d00efdd473311f1b664c77c44e",
"status": "affected",
"version": "761564d93c8265f65543acf0a576b32d66bfa26a",
"versionType": "git"
},
{
"lessThan": "b600de2d7d3a16f9007fad1bdae82a3951a26af2",
"status": "affected",
"version": "64dc8c732f5c2b406cc752e6aaa1bd5471159cab",
"versionType": "git"
},
{
"status": "affected",
"version": "b22fd72bfebda3956efc4431b60ddfc0a51e03e0",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"block/bfq-cgroup.c",
"block/bfq-iosched.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.15.93",
"status": "affected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThan": "6.1.11",
"status": "affected",
"version": "6.1.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix uaf for bfqq in bic_set_bfqq()\n\nAfter commit 64dc8c732f5c (\"block, bfq: fix possible uaf for \u0027bfqq-\u003ebic\u0027\"),\nbic-\u003ebfqq will be accessed in bic_set_bfqq(), however, in some context\nbic-\u003ebfqq will be freed, and bic_set_bfqq() is called with the freed\nbic-\u003ebfqq.\n\nFix the problem by always freeing bfqq after bic_set_bfqq()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:01.199Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f77f3dab5066a7c9da73d72d1eee895ff84a8d5"
},
{
"url": "https://git.kernel.org/stable/c/511c922c5bf6c8a166bea826e702336bc2424140"
},
{
"url": "https://git.kernel.org/stable/c/cb1876fc33af26d00efdd473311f1b664c77c44e"
},
{
"url": "https://git.kernel.org/stable/c/b600de2d7d3a16f9007fad1bdae82a3951a26af2"
}
],
"title": "block, bfq: fix uaf for bfqq in bic_set_bfqq()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52983",
"datePublished": "2025-03-27T16:43:21.372Z",
"dateReserved": "2025-03-27T16:40:15.740Z",
"dateUpdated": "2025-05-04T12:50:01.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49750 (GCVE-0-2022-49750)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cpufreq: CPPC: Add u64 casts to avoid overflowing
The fields of the _CPC object are unsigned 32-bits values.
To avoid overflows while using _CPC's values, add 'u64' casts.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/cppc_cpufreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7d596bbc66a52ff2c7a83d7e0ee840cb07e2a045",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f5f94b9c8b805d87ff185caf9779c3a4d07819e3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/cpufreq/cppc_cpufreq.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: CPPC: Add u64 casts to avoid overflowing\n\nThe fields of the _CPC object are unsigned 32-bits values.\nTo avoid overflows while using _CPC\u0027s values, add \u0027u64\u0027 casts."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:34.892Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7d596bbc66a52ff2c7a83d7e0ee840cb07e2a045"
},
{
"url": "https://git.kernel.org/stable/c/f5f94b9c8b805d87ff185caf9779c3a4d07819e3"
}
],
"title": "cpufreq: CPPC: Add u64 casts to avoid overflowing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49750",
"datePublished": "2025-03-27T16:42:59.043Z",
"dateReserved": "2025-03-27T16:39:17.988Z",
"dateUpdated": "2025-05-04T08:44:34.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52987 (GCVE-0-2023-52987)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ASoC: SOF: ipc4-mtrace: prevent underflow in sof_ipc4_priority_mask_dfs_write()
The "id" comes from the user. Change the type to unsigned to prevent
an array underflow.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/ipc4-mtrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d52f34784e4e2f6e77671a9f104d8a69a3b5d24c",
"status": "affected",
"version": "f4ea22f7aa7536560097d765be56445933d07e0d",
"versionType": "git"
},
{
"lessThan": "ea57680af47587397f5005d7758022441ed66d54",
"status": "affected",
"version": "f4ea22f7aa7536560097d765be56445933d07e0d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/soc/sof/ipc4-mtrace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-mtrace: prevent underflow in sof_ipc4_priority_mask_dfs_write()\n\nThe \"id\" comes from the user. Change the type to unsigned to prevent\nan array underflow."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:59.130Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d52f34784e4e2f6e77671a9f104d8a69a3b5d24c"
},
{
"url": "https://git.kernel.org/stable/c/ea57680af47587397f5005d7758022441ed66d54"
}
],
"title": "ASoC: SOF: ipc4-mtrace: prevent underflow in sof_ipc4_priority_mask_dfs_write()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52987",
"datePublished": "2025-03-27T16:43:24.225Z",
"dateReserved": "2025-03-27T16:40:15.741Z",
"dateUpdated": "2025-05-04T07:46:59.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21867 (GCVE-0-2025-21867)
Vulnerability from cvelistv5
Published
2025-03-27 13:38
Modified
2025-05-04 07:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()
KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The
cause of the issue was that eth_skb_pkt_type() accessed skb's data
that didn't contain an Ethernet header. This occurs when
bpf_prog_test_run_xdp() passes an invalid value as the user_data
argument to bpf_test_init().
Fix this by returning an error when user_data is less than ETH_HLEN in
bpf_test_init(). Additionally, remove the check for "if (user_size >
size)" as it is unnecessary.
[1]
BUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
BUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]
eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165
__xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635
xdp_recv_frames net/bpf/test_run.c:272 [inline]
xdp_test_run_batch net/bpf/test_run.c:361 [inline]
bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390
bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318
bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371
__sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777
__do_sys_bpf kernel/bpf/syscall.c:5866 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5864 [inline]
__x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864
x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
free_pages_prepare mm/page_alloc.c:1056 [inline]
free_unref_page+0x156/0x1320 mm/page_alloc.c:2657
__free_pages+0xa3/0x1b0 mm/page_alloc.c:4838
bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline]
ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235
bpf_map_free kernel/bpf/syscall.c:838 [inline]
bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310
worker_thread+0xedf/0x1550 kernel/workqueue.c:3391
kthread+0x535/0x6b0 kernel/kthread.c:389
ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
CPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: be3d72a2896cb24090f268dce4aa8a304d40bc23 Version: be3d72a2896cb24090f268dce4aa8a304d40bc23 Version: be3d72a2896cb24090f268dce4aa8a304d40bc23 Version: be3d72a2896cb24090f268dce4aa8a304d40bc23 Version: be3d72a2896cb24090f268dce4aa8a304d40bc23 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-21867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T17:27:05.715395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T17:32:23.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f615fccfc689cb48977d275ac2e391297b52392b",
"status": "affected",
"version": "be3d72a2896cb24090f268dce4aa8a304d40bc23",
"versionType": "git"
},
{
"lessThan": "d56d8a23d95100b65f40438639dd82db2af81c11",
"status": "affected",
"version": "be3d72a2896cb24090f268dce4aa8a304d40bc23",
"versionType": "git"
},
{
"lessThan": "972bafed67ca73ad9a56448384281eb5fd5c0ba3",
"status": "affected",
"version": "be3d72a2896cb24090f268dce4aa8a304d40bc23",
"versionType": "git"
},
{
"lessThan": "1a9e1284e87d59b1303b69d1808d310821d6e5f7",
"status": "affected",
"version": "be3d72a2896cb24090f268dce4aa8a304d40bc23",
"versionType": "git"
},
{
"lessThan": "6b3d638ca897e099fa99bd6d02189d3176f80a47",
"status": "affected",
"version": "be3d72a2896cb24090f268dce4aa8a304d40bc23",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bpf/test_run.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.18"
},
{
"lessThan": "5.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()\n\nKMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The\ncause of the issue was that eth_skb_pkt_type() accessed skb\u0027s data\nthat didn\u0027t contain an Ethernet header. This occurs when\nbpf_prog_test_run_xdp() passes an invalid value as the user_data\nargument to bpf_test_init().\n\nFix this by returning an error when user_data is less than ETH_HLEN in\nbpf_test_init(). Additionally, remove the check for \"if (user_size \u003e\nsize)\" as it is unnecessary.\n\n[1]\nBUG: KMSAN: use-after-free in eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]\nBUG: KMSAN: use-after-free in eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165\n eth_skb_pkt_type include/linux/etherdevice.h:627 [inline]\n eth_type_trans+0x4ee/0x980 net/ethernet/eth.c:165\n __xdp_build_skb_from_frame+0x5a8/0xa50 net/core/xdp.c:635\n xdp_recv_frames net/bpf/test_run.c:272 [inline]\n xdp_test_run_batch net/bpf/test_run.c:361 [inline]\n bpf_test_run_xdp_live+0x2954/0x3330 net/bpf/test_run.c:390\n bpf_prog_test_run_xdp+0x148e/0x1b10 net/bpf/test_run.c:1318\n bpf_prog_test_run+0x5b7/0xa30 kernel/bpf/syscall.c:4371\n __sys_bpf+0x6a6/0xe20 kernel/bpf/syscall.c:5777\n __do_sys_bpf kernel/bpf/syscall.c:5866 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5864 [inline]\n __x64_sys_bpf+0xa4/0xf0 kernel/bpf/syscall.c:5864\n x64_sys_call+0x2ea0/0x3d90 arch/x86/include/generated/asm/syscalls_64.h:322\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1d0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1056 [inline]\n free_unref_page+0x156/0x1320 mm/page_alloc.c:2657\n __free_pages+0xa3/0x1b0 mm/page_alloc.c:4838\n bpf_ringbuf_free kernel/bpf/ringbuf.c:226 [inline]\n ringbuf_map_free+0xff/0x1e0 kernel/bpf/ringbuf.c:235\n bpf_map_free kernel/bpf/syscall.c:838 [inline]\n bpf_map_free_deferred+0x17c/0x310 kernel/bpf/syscall.c:862\n process_one_work kernel/workqueue.c:3229 [inline]\n process_scheduled_works+0xa2b/0x1b60 kernel/workqueue.c:3310\n worker_thread+0xedf/0x1550 kernel/workqueue.c:3391\n kthread+0x535/0x6b0 kernel/kthread.c:389\n ret_from_fork+0x6e/0x90 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\nCPU: 1 UID: 0 PID: 17276 Comm: syz.1.16450 Not tainted 6.12.0-05490-g9bb88c659673 #8\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:50.800Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f615fccfc689cb48977d275ac2e391297b52392b"
},
{
"url": "https://git.kernel.org/stable/c/d56d8a23d95100b65f40438639dd82db2af81c11"
},
{
"url": "https://git.kernel.org/stable/c/972bafed67ca73ad9a56448384281eb5fd5c0ba3"
},
{
"url": "https://git.kernel.org/stable/c/1a9e1284e87d59b1303b69d1808d310821d6e5f7"
},
{
"url": "https://git.kernel.org/stable/c/6b3d638ca897e099fa99bd6d02189d3176f80a47"
}
],
"title": "bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21867",
"datePublished": "2025-03-27T13:38:20.673Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:22:50.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52992 (GCVE-0-2023-52992)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Skip task with pid=1 in send_signal_common()
The following kernel panic can be triggered when a task with pid=1 attaches
a prog that attempts to send killing signal to itself, also see [1] for more
details:
Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
CPU: 3 PID: 1 Comm: systemd Not tainted 6.1.0-09652-g59fe41b5255f #148
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x100/0x178 lib/dump_stack.c:106
panic+0x2c4/0x60f kernel/panic.c:275
do_exit.cold+0x63/0xe4 kernel/exit.c:789
do_group_exit+0xd4/0x2a0 kernel/exit.c:950
get_signal+0x2460/0x2600 kernel/signal.c:2858
arch_do_signal_or_restart+0x78/0x5d0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
__syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
So skip task with pid=1 in bpf_send_signal_common() to avoid the panic.
[1] https://lore.kernel.org/bpf/20221222043507.33037-1-sunhao.th@gmail.com
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/bpf_trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4923160393b06a34759a11b17930d71e06f396f2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a1c0263f1eb4deee132e11e52ee6982435460d81",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0dfef503133565fa0bcf3268d8eeb5b181191a65",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1283a01b6e19d05f7ed49584ea653947245cd41e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a3d81bc1eaef48e34dd0b9b48eefed9e02a06451",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/bpf_trace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.167",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Skip task with pid=1 in send_signal_common()\n\nThe following kernel panic can be triggered when a task with pid=1 attaches\na prog that attempts to send killing signal to itself, also see [1] for more\ndetails:\n\n Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b\n CPU: 3 PID: 1 Comm: systemd Not tainted 6.1.0-09652-g59fe41b5255f #148\n Call Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x100/0x178 lib/dump_stack.c:106\n panic+0x2c4/0x60f kernel/panic.c:275\n do_exit.cold+0x63/0xe4 kernel/exit.c:789\n do_group_exit+0xd4/0x2a0 kernel/exit.c:950\n get_signal+0x2460/0x2600 kernel/signal.c:2858\n arch_do_signal_or_restart+0x78/0x5d0 arch/x86/kernel/signal.c:306\n exit_to_user_mode_loop kernel/entry/common.c:168 [inline]\n exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203\n __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]\n syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296\n do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nSo skip task with pid=1 in bpf_send_signal_common() to avoid the panic.\n\n [1] https://lore.kernel.org/bpf/20221222043507.33037-1-sunhao.th@gmail.com"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:03.969Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4923160393b06a34759a11b17930d71e06f396f2"
},
{
"url": "https://git.kernel.org/stable/c/a1c0263f1eb4deee132e11e52ee6982435460d81"
},
{
"url": "https://git.kernel.org/stable/c/0dfef503133565fa0bcf3268d8eeb5b181191a65"
},
{
"url": "https://git.kernel.org/stable/c/1283a01b6e19d05f7ed49584ea653947245cd41e"
},
{
"url": "https://git.kernel.org/stable/c/a3d81bc1eaef48e34dd0b9b48eefed9e02a06451"
}
],
"title": "bpf: Skip task with pid=1 in send_signal_common()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52992",
"datePublished": "2025-03-27T16:43:27.618Z",
"dateReserved": "2025-03-27T16:40:15.741Z",
"dateUpdated": "2025-05-04T07:47:03.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49760 (GCVE-0-2022-49760)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix PTE marker handling in hugetlb_change_protection()
Patch series "mm/hugetlb: uffd-wp fixes for hugetlb_change_protection()".
Playing with virtio-mem and background snapshots (using uffd-wp) on
hugetlb in QEMU, I managed to trigger a VM_BUG_ON(). Looking into the
details, hugetlb_change_protection() seems to not handle uffd-wp correctly
in all cases.
Patch #1 fixes my test case. I don't have reproducers for patch #2, as it
requires running into migration entries.
I did not yet check in detail yet if !hugetlb code requires similar care.
This patch (of 2):
There are two problematic cases when stumbling over a PTE marker in
hugetlb_change_protection():
(1) We protect an uffd-wp PTE marker a second time using uffd-wp: we will
end up in the "!huge_pte_none(pte)" case and mess up the PTE marker.
(2) We unprotect a uffd-wp PTE marker: we will similarly end up in the
"!huge_pte_none(pte)" case even though we cleared the PTE, because
the "pte" variable is stale. We'll mess up the PTE marker.
For example, if we later stumble over such a "wrongly modified" PTE marker,
we'll treat it like a present PTE that maps some garbage page.
This can, for example, be triggered by mapping a memfd backed by huge
pages, registering uffd-wp, uffd-wp'ing an unmapped page and (a)
uffd-wp'ing it a second time; or (b) uffd-unprotecting it; or (c)
unregistering uffd-wp. Then, ff we trigger fallocate(FALLOC_FL_PUNCH_HOLE)
on that file range, we will run into a VM_BUG_ON:
[ 195.039560] page:00000000ba1f2987 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0
[ 195.039565] flags: 0x7ffffc0001000(reserved|node=0|zone=0|lastcpupid=0x1fffff)
[ 195.039568] raw: 0007ffffc0001000 ffffe742c0000008 ffffe742c0000008 0000000000000000
[ 195.039569] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 195.039569] page dumped because: VM_BUG_ON_PAGE(compound && !PageHead(page))
[ 195.039573] ------------[ cut here ]------------
[ 195.039574] kernel BUG at mm/rmap.c:1346!
[ 195.039579] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 195.039581] CPU: 7 PID: 4777 Comm: qemu-system-x86 Not tainted 6.0.12-200.fc36.x86_64 #1
[ 195.039583] Hardware name: LENOVO 20WNS1F81N/20WNS1F81N, BIOS N35ET50W (1.50 ) 09/15/2022
[ 195.039584] RIP: 0010:page_remove_rmap+0x45b/0x550
[ 195.039588] Code: [...]
[ 195.039589] RSP: 0018:ffffbc03c3633ba8 EFLAGS: 00010292
[ 195.039591] RAX: 0000000000000040 RBX: ffffe742c0000000 RCX: 0000000000000000
[ 195.039592] RDX: 0000000000000002 RSI: ffffffff8e7aac1a RDI: 00000000ffffffff
[ 195.039592] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffbc03c3633a08
[ 195.039593] R10: 0000000000000003 R11: ffffffff8f146328 R12: ffff9b04c42754b0
[ 195.039594] R13: ffffffff8fcc6328 R14: ffffbc03c3633c80 R15: ffff9b0484ab9100
[ 195.039595] FS: 00007fc7aaf68640(0000) GS:ffff9b0bbf7c0000(0000) knlGS:0000000000000000
[ 195.039596] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 195.039597] CR2: 000055d402c49110 CR3: 0000000159392003 CR4: 0000000000772ee0
[ 195.039598] PKRU: 55555554
[ 195.039599] Call Trace:
[ 195.039600] <TASK>
[ 195.039602] __unmap_hugepage_range+0x33b/0x7d0
[ 195.039605] unmap_hugepage_range+0x55/0x70
[ 195.039608] hugetlb_vmdelete_list+0x77/0xa0
[ 195.039611] hugetlbfs_fallocate+0x410/0x550
[ 195.039612] ? _raw_spin_unlock_irqrestore+0x23/0x40
[ 195.039616] vfs_fallocate+0x12e/0x360
[ 195.039618] __x64_sys_fallocate+0x40/0x70
[ 195.039620] do_syscall_64+0x58/0x80
[ 195.039623] ? syscall_exit_to_user_mode+0x17/0x40
[ 195.039624] ? do_syscall_64+0x67/0x80
[ 195.039626] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 195.039628] RIP: 0033:0x7fc7b590651f
[ 195.039653] Code: [...]
[ 195.039654] RSP: 002b:00007fc7aaf66e70 EFLAGS: 00000293 ORIG_RAX: 000000000000011d
[ 195.039655] RAX: ffffffffffffffda RBX: 0000558ef4b7f370 RCX: 00007fc7b590651f
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6062c992e912df1eedad52cf64efb3d48e8d35c5",
"status": "affected",
"version": "60dfaad65aa97fb6755b9798a6b3c9e79bcd5930",
"versionType": "git"
},
{
"lessThan": "0e678153f5be7e6c8d28835f5a678618da4b7a9c",
"status": "affected",
"version": "60dfaad65aa97fb6755b9798a6b3c9e79bcd5930",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/hugetlb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.19"
},
{
"lessThan": "5.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.8",
"versionStartIncluding": "5.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix PTE marker handling in hugetlb_change_protection()\n\nPatch series \"mm/hugetlb: uffd-wp fixes for hugetlb_change_protection()\".\n\nPlaying with virtio-mem and background snapshots (using uffd-wp) on\nhugetlb in QEMU, I managed to trigger a VM_BUG_ON(). Looking into the\ndetails, hugetlb_change_protection() seems to not handle uffd-wp correctly\nin all cases.\n\nPatch #1 fixes my test case. I don\u0027t have reproducers for patch #2, as it\nrequires running into migration entries.\n\nI did not yet check in detail yet if !hugetlb code requires similar care.\n\n\nThis patch (of 2):\n\nThere are two problematic cases when stumbling over a PTE marker in\nhugetlb_change_protection():\n\n(1) We protect an uffd-wp PTE marker a second time using uffd-wp: we will\n end up in the \"!huge_pte_none(pte)\" case and mess up the PTE marker.\n\n(2) We unprotect a uffd-wp PTE marker: we will similarly end up in the\n \"!huge_pte_none(pte)\" case even though we cleared the PTE, because\n the \"pte\" variable is stale. We\u0027ll mess up the PTE marker.\n\nFor example, if we later stumble over such a \"wrongly modified\" PTE marker,\nwe\u0027ll treat it like a present PTE that maps some garbage page.\n\nThis can, for example, be triggered by mapping a memfd backed by huge\npages, registering uffd-wp, uffd-wp\u0027ing an unmapped page and (a)\nuffd-wp\u0027ing it a second time; or (b) uffd-unprotecting it; or (c)\nunregistering uffd-wp. Then, ff we trigger fallocate(FALLOC_FL_PUNCH_HOLE)\non that file range, we will run into a VM_BUG_ON:\n\n[ 195.039560] page:00000000ba1f2987 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0\n[ 195.039565] flags: 0x7ffffc0001000(reserved|node=0|zone=0|lastcpupid=0x1fffff)\n[ 195.039568] raw: 0007ffffc0001000 ffffe742c0000008 ffffe742c0000008 0000000000000000\n[ 195.039569] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n[ 195.039569] page dumped because: VM_BUG_ON_PAGE(compound \u0026\u0026 !PageHead(page))\n[ 195.039573] ------------[ cut here ]------------\n[ 195.039574] kernel BUG at mm/rmap.c:1346!\n[ 195.039579] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 195.039581] CPU: 7 PID: 4777 Comm: qemu-system-x86 Not tainted 6.0.12-200.fc36.x86_64 #1\n[ 195.039583] Hardware name: LENOVO 20WNS1F81N/20WNS1F81N, BIOS N35ET50W (1.50 ) 09/15/2022\n[ 195.039584] RIP: 0010:page_remove_rmap+0x45b/0x550\n[ 195.039588] Code: [...]\n[ 195.039589] RSP: 0018:ffffbc03c3633ba8 EFLAGS: 00010292\n[ 195.039591] RAX: 0000000000000040 RBX: ffffe742c0000000 RCX: 0000000000000000\n[ 195.039592] RDX: 0000000000000002 RSI: ffffffff8e7aac1a RDI: 00000000ffffffff\n[ 195.039592] RBP: 0000000000000001 R08: 0000000000000000 R09: ffffbc03c3633a08\n[ 195.039593] R10: 0000000000000003 R11: ffffffff8f146328 R12: ffff9b04c42754b0\n[ 195.039594] R13: ffffffff8fcc6328 R14: ffffbc03c3633c80 R15: ffff9b0484ab9100\n[ 195.039595] FS: 00007fc7aaf68640(0000) GS:ffff9b0bbf7c0000(0000) knlGS:0000000000000000\n[ 195.039596] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 195.039597] CR2: 000055d402c49110 CR3: 0000000159392003 CR4: 0000000000772ee0\n[ 195.039598] PKRU: 55555554\n[ 195.039599] Call Trace:\n[ 195.039600] \u003cTASK\u003e\n[ 195.039602] __unmap_hugepage_range+0x33b/0x7d0\n[ 195.039605] unmap_hugepage_range+0x55/0x70\n[ 195.039608] hugetlb_vmdelete_list+0x77/0xa0\n[ 195.039611] hugetlbfs_fallocate+0x410/0x550\n[ 195.039612] ? _raw_spin_unlock_irqrestore+0x23/0x40\n[ 195.039616] vfs_fallocate+0x12e/0x360\n[ 195.039618] __x64_sys_fallocate+0x40/0x70\n[ 195.039620] do_syscall_64+0x58/0x80\n[ 195.039623] ? syscall_exit_to_user_mode+0x17/0x40\n[ 195.039624] ? do_syscall_64+0x67/0x80\n[ 195.039626] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 195.039628] RIP: 0033:0x7fc7b590651f\n[ 195.039653] Code: [...]\n[ 195.039654] RSP: 002b:00007fc7aaf66e70 EFLAGS: 00000293 ORIG_RAX: 000000000000011d\n[ 195.039655] RAX: ffffffffffffffda RBX: 0000558ef4b7f370 RCX: 00007fc7b590651f\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:48.484Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6062c992e912df1eedad52cf64efb3d48e8d35c5"
},
{
"url": "https://git.kernel.org/stable/c/0e678153f5be7e6c8d28835f5a678618da4b7a9c"
}
],
"title": "mm/hugetlb: fix PTE marker handling in hugetlb_change_protection()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49760",
"datePublished": "2025-03-27T16:43:07.001Z",
"dateReserved": "2025-03-27T16:39:17.990Z",
"dateUpdated": "2025-05-04T08:44:48.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21880 (GCVE-0-2025-21880)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/xe/userptr: fix EFAULT handling
Currently we treat EFAULT from hmm_range_fault() as a non-fatal error
when called from xe_vm_userptr_pin() with the idea that we want to avoid
killing the entire vm and chucking an error, under the assumption that
the user just did an unmap or something, and has no intention of
actually touching that memory from the GPU. At this point we have
already zapped the PTEs so any access should generate a page fault, and
if the pin fails there also it will then become fatal.
However it looks like it's possible for the userptr vma to still be on
the rebind list in preempt_rebind_work_func(), if we had to retry the
pin again due to something happening in the caller before we did the
rebind step, but in the meantime needing to re-validate the userptr and
this time hitting the EFAULT.
This explains an internal user report of hitting:
[ 191.738349] WARNING: CPU: 1 PID: 157 at drivers/gpu/drm/xe/xe_res_cursor.h:158 xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]
[ 191.738551] Workqueue: xe-ordered-wq preempt_rebind_work_func [xe]
[ 191.738616] RIP: 0010:xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]
[ 191.738690] Call Trace:
[ 191.738692] <TASK>
[ 191.738694] ? show_regs+0x69/0x80
[ 191.738698] ? __warn+0x93/0x1a0
[ 191.738703] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]
[ 191.738759] ? report_bug+0x18f/0x1a0
[ 191.738764] ? handle_bug+0x63/0xa0
[ 191.738767] ? exc_invalid_op+0x19/0x70
[ 191.738770] ? asm_exc_invalid_op+0x1b/0x20
[ 191.738777] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]
[ 191.738834] ? ret_from_fork_asm+0x1a/0x30
[ 191.738849] bind_op_prepare+0x105/0x7b0 [xe]
[ 191.738906] ? dma_resv_reserve_fences+0x301/0x380
[ 191.738912] xe_pt_update_ops_prepare+0x28c/0x4b0 [xe]
[ 191.738966] ? kmemleak_alloc+0x4b/0x80
[ 191.738973] ops_execute+0x188/0x9d0 [xe]
[ 191.739036] xe_vm_rebind+0x4ce/0x5a0 [xe]
[ 191.739098] ? trace_hardirqs_on+0x4d/0x60
[ 191.739112] preempt_rebind_work_func+0x76f/0xd00 [xe]
Followed by NPD, when running some workload, since the sg was never
actually populated but the vma is still marked for rebind when it should
be skipped for this special EFAULT case. This is confirmed to fix the
user report.
v2 (MattB):
- Move earlier.
v3 (MattB):
- Update the commit message to make it clear that this indeed fixes the
issue.
(cherry picked from commit 6b93cb98910c826c2e2004942f8b060311e43618)
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "daad16d0a538fa938e344fd83927bbcfcd8a66ec",
"status": "affected",
"version": "521db22a1d70dbc596a07544a738416025b1b63c",
"versionType": "git"
},
{
"lessThan": "51cc278f8ffacd5f9dc7d13191b81b912829db59",
"status": "affected",
"version": "521db22a1d70dbc596a07544a738416025b1b63c",
"versionType": "git"
},
{
"lessThan": "a9f4fa3a7efa65615ff7db13023ac84516e99e21",
"status": "affected",
"version": "521db22a1d70dbc596a07544a738416025b1b63c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/xe/xe_vm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/userptr: fix EFAULT handling\n\nCurrently we treat EFAULT from hmm_range_fault() as a non-fatal error\nwhen called from xe_vm_userptr_pin() with the idea that we want to avoid\nkilling the entire vm and chucking an error, under the assumption that\nthe user just did an unmap or something, and has no intention of\nactually touching that memory from the GPU. At this point we have\nalready zapped the PTEs so any access should generate a page fault, and\nif the pin fails there also it will then become fatal.\n\nHowever it looks like it\u0027s possible for the userptr vma to still be on\nthe rebind list in preempt_rebind_work_func(), if we had to retry the\npin again due to something happening in the caller before we did the\nrebind step, but in the meantime needing to re-validate the userptr and\nthis time hitting the EFAULT.\n\nThis explains an internal user report of hitting:\n\n[ 191.738349] WARNING: CPU: 1 PID: 157 at drivers/gpu/drm/xe/xe_res_cursor.h:158 xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738551] Workqueue: xe-ordered-wq preempt_rebind_work_func [xe]\n[ 191.738616] RIP: 0010:xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738690] Call Trace:\n[ 191.738692] \u003cTASK\u003e\n[ 191.738694] ? show_regs+0x69/0x80\n[ 191.738698] ? __warn+0x93/0x1a0\n[ 191.738703] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738759] ? report_bug+0x18f/0x1a0\n[ 191.738764] ? handle_bug+0x63/0xa0\n[ 191.738767] ? exc_invalid_op+0x19/0x70\n[ 191.738770] ? asm_exc_invalid_op+0x1b/0x20\n[ 191.738777] ? xe_pt_stage_bind.constprop.0+0x60a/0x6b0 [xe]\n[ 191.738834] ? ret_from_fork_asm+0x1a/0x30\n[ 191.738849] bind_op_prepare+0x105/0x7b0 [xe]\n[ 191.738906] ? dma_resv_reserve_fences+0x301/0x380\n[ 191.738912] xe_pt_update_ops_prepare+0x28c/0x4b0 [xe]\n[ 191.738966] ? kmemleak_alloc+0x4b/0x80\n[ 191.738973] ops_execute+0x188/0x9d0 [xe]\n[ 191.739036] xe_vm_rebind+0x4ce/0x5a0 [xe]\n[ 191.739098] ? trace_hardirqs_on+0x4d/0x60\n[ 191.739112] preempt_rebind_work_func+0x76f/0xd00 [xe]\n\nFollowed by NPD, when running some workload, since the sg was never\nactually populated but the vma is still marked for rebind when it should\nbe skipped for this special EFAULT case. This is confirmed to fix the\nuser report.\n\nv2 (MattB):\n - Move earlier.\nv3 (MattB):\n - Update the commit message to make it clear that this indeed fixes the\n issue.\n\n(cherry picked from commit 6b93cb98910c826c2e2004942f8b060311e43618)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:12.874Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/daad16d0a538fa938e344fd83927bbcfcd8a66ec"
},
{
"url": "https://git.kernel.org/stable/c/51cc278f8ffacd5f9dc7d13191b81b912829db59"
},
{
"url": "https://git.kernel.org/stable/c/a9f4fa3a7efa65615ff7db13023ac84516e99e21"
}
],
"title": "drm/xe/userptr: fix EFAULT handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21880",
"datePublished": "2025-03-27T14:57:09.581Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:12.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53013 (GCVE-0-2023-53013)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ptdma: pt_core_execute_cmd() should use spinlock
The interrupt handler (pt_core_irq_handler()) of the ptdma
driver can be called from interrupt context. The code flow
in this function can lead down to pt_core_execute_cmd() which
will attempt to grab a mutex, which is not appropriate in
interrupt context and ultimately leads to a kernel panic.
The fix here changes this mutex to a spinlock, which has
been verified to resolve the issue.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/dma/ptdma/ptdma-dev.c",
"drivers/dma/ptdma/ptdma.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed0d8f731e0bf1bb12a7a37698ac613db20e2794",
"status": "affected",
"version": "fa5d823b16a9442d609617abeec31da8b6afa224",
"versionType": "git"
},
{
"lessThan": "13ba563c2c8055ba8a637c9f70bb833b43cb4207",
"status": "affected",
"version": "fa5d823b16a9442d609617abeec31da8b6afa224",
"versionType": "git"
},
{
"lessThan": "95e5fda3b5f9ed8239b145da3fa01e641cf5d53c",
"status": "affected",
"version": "fa5d823b16a9442d609617abeec31da8b6afa224",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/dma/ptdma/ptdma-dev.c",
"drivers/dma/ptdma/ptdma.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nptdma: pt_core_execute_cmd() should use spinlock\n\nThe interrupt handler (pt_core_irq_handler()) of the ptdma\ndriver can be called from interrupt context. The code flow\nin this function can lead down to pt_core_execute_cmd() which\nwill attempt to grab a mutex, which is not appropriate in\ninterrupt context and ultimately leads to a kernel panic.\nThe fix here changes this mutex to a spinlock, which has\nbeen verified to resolve the issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:35.988Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed0d8f731e0bf1bb12a7a37698ac613db20e2794"
},
{
"url": "https://git.kernel.org/stable/c/13ba563c2c8055ba8a637c9f70bb833b43cb4207"
},
{
"url": "https://git.kernel.org/stable/c/95e5fda3b5f9ed8239b145da3fa01e641cf5d53c"
}
],
"title": "ptdma: pt_core_execute_cmd() should use spinlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53013",
"datePublished": "2025-03-27T16:43:42.437Z",
"dateReserved": "2025-03-27T16:40:15.749Z",
"dateUpdated": "2025-05-04T07:47:35.988Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53024 (GCVE-0-2023-53024)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation
To mitigate Spectre v4, 2039f26f3aca ("bpf: Fix leakage due to
insufficient speculative store bypass mitigation") inserts lfence
instructions after 1) initializing a stack slot and 2) spilling a
pointer to the stack.
However, this does not cover cases where a stack slot is first
initialized with a pointer (subject to sanitization) but then
overwritten with a scalar (not subject to sanitization because
the slot was already initialized). In this case, the second write
may be subject to speculative store bypass (SSB) creating a
speculative pointer-as-scalar type confusion. This allows the
program to subsequently leak the numerical pointer value using,
for example, a branch-based cache side channel.
To fix this, also sanitize scalars if they write a stack slot
that previously contained a pointer. Assuming that pointer-spills
are only generated by LLVM on register-pressure, the performance
impact on most real-world BPF programs should be small.
The following unprivileged BPF bytecode drafts a minimal exploit
and the mitigation:
[...]
// r6 = 0 or 1 (skalar, unknown user input)
// r7 = accessible ptr for side channel
// r10 = frame pointer (fp), to be leaked
//
r9 = r10 # fp alias to encourage ssb
*(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked
// lfence added here because of pointer spill to stack.
//
// Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor
// for no r9-r10 dependency.
//
*(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr
// 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,
// store may be subject to SSB
//
// fix: also add an lfence when the slot contained a ptr
//
r8 = *(u64 *)(r9 - 8)
// r8 = architecturally a scalar, speculatively a ptr
//
// leak ptr using branch-based cache side channel:
r8 &= 1 // choose bit to leak
if r8 == 0 goto SLOW // no mispredict
// architecturally dead code if input r6 is 0,
// only executes speculatively iff ptr bit is 1
r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)
SLOW:
[...]
After running this, the program can time the access to *(r7 + 0) to
determine whether the chosen pointer bit was 0 or 1. Repeat this 64
times to recover the whole address on amd64.
In summary, sanitization can only be skipped if one scalar is
overwritten with another scalar. Scalar-confusion due to speculative
store bypass can not lead to invalid accesses because the pointer
bounds deducted during verification are enforced using branchless
logic. See 979d63d50c0c ("bpf: prevent out of bounds speculation on
pointer arithmetic") for details.
Do not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks}
because speculative leaks are likely unexpected if these were enabled.
For example, leaking the address to a protected log file may be acceptable
while disabling the mitigation might unintentionally leak the address
into the cached-state of a map that is accessible to unprivileged
processes.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 872968502114d68c21419cf7eb5ab97717e7b803 Version: f5893af2704eb763eb982f01d573f5b19f06b623 Version: 0e9280654aa482088ee6ef3deadef331f5ac5fb0 Version: 2039f26f3aca5b0e419b98f65dd36481337b86ee Version: 2039f26f3aca5b0e419b98f65dd36481337b86ee Version: 2039f26f3aca5b0e419b98f65dd36481337b86ee Version: 0b27bdf02c400684225ee5ee99970bcbf5082282 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "aae109414a57ab4164218f36e2e4a17f027fcaaa",
"status": "affected",
"version": "872968502114d68c21419cf7eb5ab97717e7b803",
"versionType": "git"
},
{
"lessThan": "81b3374944d201872cfcf82730a7860f8e7c31dd",
"status": "affected",
"version": "f5893af2704eb763eb982f01d573f5b19f06b623",
"versionType": "git"
},
{
"lessThan": "da75dec7c6617bddad418159ffebcb133f008262",
"status": "affected",
"version": "0e9280654aa482088ee6ef3deadef331f5ac5fb0",
"versionType": "git"
},
{
"lessThan": "01bdcc73dbe7be3ad4d4ee9a59b71e42f461a528",
"status": "affected",
"version": "2039f26f3aca5b0e419b98f65dd36481337b86ee",
"versionType": "git"
},
{
"lessThan": "b0c89ef025562161242a7c19b213bd6b272e93df",
"status": "affected",
"version": "2039f26f3aca5b0e419b98f65dd36481337b86ee",
"versionType": "git"
},
{
"lessThan": "e4f4db47794c9f474b184ee1418f42e6a07412b6",
"status": "affected",
"version": "2039f26f3aca5b0e419b98f65dd36481337b86ee",
"versionType": "git"
},
{
"status": "affected",
"version": "0b27bdf02c400684225ee5ee99970bcbf5082282",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.19.207",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "5.4.146",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "5.10.56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix pointer-leak due to insufficient speculative store bypass mitigation\n\nTo mitigate Spectre v4, 2039f26f3aca (\"bpf: Fix leakage due to\ninsufficient speculative store bypass mitigation\") inserts lfence\ninstructions after 1) initializing a stack slot and 2) spilling a\npointer to the stack.\n\nHowever, this does not cover cases where a stack slot is first\ninitialized with a pointer (subject to sanitization) but then\noverwritten with a scalar (not subject to sanitization because\nthe slot was already initialized). In this case, the second write\nmay be subject to speculative store bypass (SSB) creating a\nspeculative pointer-as-scalar type confusion. This allows the\nprogram to subsequently leak the numerical pointer value using,\nfor example, a branch-based cache side channel.\n\nTo fix this, also sanitize scalars if they write a stack slot\nthat previously contained a pointer. Assuming that pointer-spills\nare only generated by LLVM on register-pressure, the performance\nimpact on most real-world BPF programs should be small.\n\nThe following unprivileged BPF bytecode drafts a minimal exploit\nand the mitigation:\n\n [...]\n // r6 = 0 or 1 (skalar, unknown user input)\n // r7 = accessible ptr for side channel\n // r10 = frame pointer (fp), to be leaked\n //\n r9 = r10 # fp alias to encourage ssb\n *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked\n // lfence added here because of pointer spill to stack.\n //\n // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor\n // for no r9-r10 dependency.\n //\n *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr\n // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID,\n // store may be subject to SSB\n //\n // fix: also add an lfence when the slot contained a ptr\n //\n r8 = *(u64 *)(r9 - 8)\n // r8 = architecturally a scalar, speculatively a ptr\n //\n // leak ptr using branch-based cache side channel:\n r8 \u0026= 1 // choose bit to leak\n if r8 == 0 goto SLOW // no mispredict\n // architecturally dead code if input r6 is 0,\n // only executes speculatively iff ptr bit is 1\n r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast)\nSLOW:\n [...]\n\nAfter running this, the program can time the access to *(r7 + 0) to\ndetermine whether the chosen pointer bit was 0 or 1. Repeat this 64\ntimes to recover the whole address on amd64.\n\nIn summary, sanitization can only be skipped if one scalar is\noverwritten with another scalar. Scalar-confusion due to speculative\nstore bypass can not lead to invalid accesses because the pointer\nbounds deducted during verification are enforced using branchless\nlogic. See 979d63d50c0c (\"bpf: prevent out of bounds speculation on\npointer arithmetic\") for details.\n\nDo not make the mitigation depend on !env-\u003eallow_{uninit_stack,ptr_leaks}\nbecause speculative leaks are likely unexpected if these were enabled.\nFor example, leaking the address to a protected log file may be acceptable\nwhile disabling the mitigation might unintentionally leak the address\ninto the cached-state of a map that is accessible to unprivileged\nprocesses."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:06.221Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/aae109414a57ab4164218f36e2e4a17f027fcaaa"
},
{
"url": "https://git.kernel.org/stable/c/81b3374944d201872cfcf82730a7860f8e7c31dd"
},
{
"url": "https://git.kernel.org/stable/c/da75dec7c6617bddad418159ffebcb133f008262"
},
{
"url": "https://git.kernel.org/stable/c/01bdcc73dbe7be3ad4d4ee9a59b71e42f461a528"
},
{
"url": "https://git.kernel.org/stable/c/b0c89ef025562161242a7c19b213bd6b272e93df"
},
{
"url": "https://git.kernel.org/stable/c/e4f4db47794c9f474b184ee1418f42e6a07412b6"
}
],
"title": "bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53024",
"datePublished": "2025-03-27T16:43:49.824Z",
"dateReserved": "2025-03-27T16:40:15.753Z",
"dateUpdated": "2025-05-04T12:50:06.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53033 (GCVE-0-2023-53033)
Vulnerability from cvelistv5
Published
2025-03-27 16:44
Modified
2025-05-04 07:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits
If the offset + length goes over the ethernet + vlan header, then the
length is adjusted to copy the bytes that are within the boundaries of
the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +
vlan header are copied directly from the skbuff data area.
Fix incorrect arithmetic operator: subtract, not add, the size of the
vlan header in case of double-tagged packets to adjust the length
accordingly to address CVE-2023-0179.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_payload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "550efeff989b041f3746118c0ddd863c39ddc1aa",
"status": "affected",
"version": "f6ae9f120dada00abfb47313364c35118469455f",
"versionType": "git"
},
{
"lessThan": "a8acfe2c6fb99f9375a9325807a179cd8c32e6e3",
"status": "affected",
"version": "f6ae9f120dada00abfb47313364c35118469455f",
"versionType": "git"
},
{
"lessThan": "76ef74d4a379faa451003621a84e3498044e7aa3",
"status": "affected",
"version": "f6ae9f120dada00abfb47313364c35118469455f",
"versionType": "git"
},
{
"lessThan": "696e1a48b1a1b01edad542a1ef293665864a4dd0",
"status": "affected",
"version": "f6ae9f120dada00abfb47313364c35118469455f",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/netfilter/nft_payload.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.164",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.89",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.7",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits\n\nIf the offset + length goes over the ethernet + vlan header, then the\nlength is adjusted to copy the bytes that are within the boundaries of\nthe vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet +\nvlan header are copied directly from the skbuff data area.\n\nFix incorrect arithmetic operator: subtract, not add, the size of the\nvlan header in case of double-tagged packets to adjust the length\naccordingly to address CVE-2023-0179."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:48:09.319Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/550efeff989b041f3746118c0ddd863c39ddc1aa"
},
{
"url": "https://git.kernel.org/stable/c/a8acfe2c6fb99f9375a9325807a179cd8c32e6e3"
},
{
"url": "https://git.kernel.org/stable/c/76ef74d4a379faa451003621a84e3498044e7aa3"
},
{
"url": "https://git.kernel.org/stable/c/696e1a48b1a1b01edad542a1ef293665864a4dd0"
}
],
"title": "netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53033",
"datePublished": "2025-03-27T16:44:01.044Z",
"dateReserved": "2025-03-27T16:40:15.758Z",
"dateUpdated": "2025-05-04T07:48:09.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53028 (GCVE-0-2023-53028)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Revert "wifi: mac80211: fix memory leak in ieee80211_if_add()"
This reverts commit 13e5afd3d773c6fc6ca2b89027befaaaa1ea7293.
ieee80211_if_free() is already called from free_netdev(ndev)
because ndev->priv_destructor == ieee80211_if_free
syzbot reported:
general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 0 PID: 10041 Comm: syz-executor.0 Not tainted 6.2.0-rc2-syzkaller-00388-g55b98837e37d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:pcpu_get_page_chunk mm/percpu.c:262 [inline]
RIP: 0010:pcpu_chunk_addr_search mm/percpu.c:1619 [inline]
RIP: 0010:free_percpu mm/percpu.c:2271 [inline]
RIP: 0010:free_percpu+0x186/0x10f0 mm/percpu.c:2254
Code: 80 3c 02 00 0f 85 f5 0e 00 00 48 8b 3b 48 01 ef e8 cf b3 0b 00 48 ba 00 00 00 00 00 fc ff df 48 8d 78 20 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 3b 0e 00 00 48 8b 58 20 48 b8 00 00 00 00 00 fc
RSP: 0018:ffffc90004ba7068 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff88823ffe2b80 RCX: 0000000000000004
RDX: dffffc0000000000 RSI: ffffffff81c1f4e7 RDI: 0000000000000020
RBP: ffffe8fffe8fc220 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 1ffffffff2179ab2 R12: ffff8880b983d000
R13: 0000000000000003 R14: 0000607f450fc220 R15: ffff88823ffe2988
FS: 00007fcb349de700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32220000 CR3: 000000004914f000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netdev_run_todo+0x6bf/0x1100 net/core/dev.c:10352
ieee80211_register_hw+0x2663/0x4040 net/mac80211/main.c:1411
mac80211_hwsim_new_radio+0x2537/0x4d80 drivers/net/wireless/mac80211_hwsim.c:4583
hwsim_new_radio_nl+0xa09/0x10f0 drivers/net/wireless/mac80211_hwsim.c:5176
genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065
netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356
netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
____sys_sendmsg+0x712/0x8c0 net/socket.c:2476
___sys_sendmsg+0x110/0x1b0 net/socket.c:2530
__sys_sendmsg+0xf7/0x1c0 net/socket.c:2559
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: b2c0b94f48373ee743a4d63825a9d52364418837 Version: 2e32f1299814e8aa2e75aa58704543a36ea3e201 Version: 9a50a7f64243bd21a84353c371f3977b9ffd9fa5 Version: 13e5afd3d773c6fc6ca2b89027befaaaa1ea7293 Version: 147537737a3c83e07a5295de38424c21d354d2a4 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/iface.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71e5cd1018d345e649e63f74a56c1897f99db7e9",
"status": "affected",
"version": "b2c0b94f48373ee743a4d63825a9d52364418837",
"versionType": "git"
},
{
"lessThan": "982c8b1e95c088f5d8f65967ec25be66e961401c",
"status": "affected",
"version": "2e32f1299814e8aa2e75aa58704543a36ea3e201",
"versionType": "git"
},
{
"lessThan": "effecd8d116d3d3a28b4f628e61bba8d318fdfcf",
"status": "affected",
"version": "9a50a7f64243bd21a84353c371f3977b9ffd9fa5",
"versionType": "git"
},
{
"lessThan": "80f8a66dede0a4b4e9e846765a97809c6fe49ce5",
"status": "affected",
"version": "13e5afd3d773c6fc6ca2b89027befaaaa1ea7293",
"versionType": "git"
},
{
"status": "affected",
"version": "147537737a3c83e07a5295de38424c21d354d2a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/iface.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5.10.165",
"status": "affected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThan": "5.15.90",
"status": "affected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThan": "6.1.8",
"status": "affected",
"version": "6.1.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.165",
"versionStartIncluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.90",
"versionStartIncluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.8",
"versionStartIncluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"wifi: mac80211: fix memory leak in ieee80211_if_add()\"\n\nThis reverts commit 13e5afd3d773c6fc6ca2b89027befaaaa1ea7293.\n\nieee80211_if_free() is already called from free_netdev(ndev)\nbecause ndev-\u003epriv_destructor == ieee80211_if_free\n\nsyzbot reported:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]\nCPU: 0 PID: 10041 Comm: syz-executor.0 Not tainted 6.2.0-rc2-syzkaller-00388-g55b98837e37d #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nRIP: 0010:pcpu_get_page_chunk mm/percpu.c:262 [inline]\nRIP: 0010:pcpu_chunk_addr_search mm/percpu.c:1619 [inline]\nRIP: 0010:free_percpu mm/percpu.c:2271 [inline]\nRIP: 0010:free_percpu+0x186/0x10f0 mm/percpu.c:2254\nCode: 80 3c 02 00 0f 85 f5 0e 00 00 48 8b 3b 48 01 ef e8 cf b3 0b 00 48 ba 00 00 00 00 00 fc ff df 48 8d 78 20 48 89 f9 48 c1 e9 03 \u003c80\u003e 3c 11 00 0f 85 3b 0e 00 00 48 8b 58 20 48 b8 00 00 00 00 00 fc\nRSP: 0018:ffffc90004ba7068 EFLAGS: 00010002\nRAX: 0000000000000000 RBX: ffff88823ffe2b80 RCX: 0000000000000004\nRDX: dffffc0000000000 RSI: ffffffff81c1f4e7 RDI: 0000000000000020\nRBP: ffffe8fffe8fc220 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 1ffffffff2179ab2 R12: ffff8880b983d000\nR13: 0000000000000003 R14: 0000607f450fc220 R15: ffff88823ffe2988\nFS: 00007fcb349de700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32220000 CR3: 000000004914f000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\nnetdev_run_todo+0x6bf/0x1100 net/core/dev.c:10352\nieee80211_register_hw+0x2663/0x4040 net/mac80211/main.c:1411\nmac80211_hwsim_new_radio+0x2537/0x4d80 drivers/net/wireless/mac80211_hwsim.c:4583\nhwsim_new_radio_nl+0xa09/0x10f0 drivers/net/wireless/mac80211_hwsim.c:5176\ngenl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968\ngenl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]\ngenl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065\nnetlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564\ngenl_rcv+0x28/0x40 net/netlink/genetlink.c:1076\nnetlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]\nnetlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356\nnetlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932\nsock_sendmsg_nosec net/socket.c:714 [inline]\nsock_sendmsg+0xd3/0x120 net/socket.c:734\n____sys_sendmsg+0x712/0x8c0 net/socket.c:2476\n___sys_sendmsg+0x110/0x1b0 net/socket.c:2530\n__sys_sendmsg+0xf7/0x1c0 net/socket.c:2559\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:07.292Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71e5cd1018d345e649e63f74a56c1897f99db7e9"
},
{
"url": "https://git.kernel.org/stable/c/982c8b1e95c088f5d8f65967ec25be66e961401c"
},
{
"url": "https://git.kernel.org/stable/c/effecd8d116d3d3a28b4f628e61bba8d318fdfcf"
},
{
"url": "https://git.kernel.org/stable/c/80f8a66dede0a4b4e9e846765a97809c6fe49ce5"
}
],
"title": "Revert \"wifi: mac80211: fix memory leak in ieee80211_if_add()\"",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53028",
"datePublished": "2025-03-27T16:43:57.568Z",
"dateReserved": "2025-03-27T16:40:15.756Z",
"dateUpdated": "2025-05-04T12:50:07.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21889 (GCVE-0-2025-21889)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Add RCU read lock protection to perf_iterate_ctx()
The perf_iterate_ctx() function performs RCU list traversal but
currently lacks RCU read lock protection. This causes lockdep warnings
when running perf probe with unshare(1) under CONFIG_PROVE_RCU_LIST=y:
WARNING: suspicious RCU usage
kernel/events/core.c:8168 RCU-list traversed in non-reader section!!
Call Trace:
lockdep_rcu_suspicious
? perf_event_addr_filters_apply
perf_iterate_ctx
perf_event_exec
begin_new_exec
? load_elf_phdrs
load_elf_binary
? lock_acquire
? find_held_lock
? bprm_execve
bprm_execve
do_execveat_common.isra.0
__x64_sys_execve
do_syscall_64
entry_SYSCALL_64_after_hwframe
This protection was previously present but was removed in commit
bd2756811766 ("perf: Rewrite core context handling"). Add back the
necessary rcu_read_lock()/rcu_read_unlock() pair around
perf_iterate_ctx() call in perf_event_exec().
[ mingo: Use scoped_guard() as suggested by Peter ]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f390c2eea571945f357a2d3b9fcb1c015767132e",
"status": "affected",
"version": "bd27568117664b8b3e259721393df420ed51f57b",
"versionType": "git"
},
{
"lessThan": "a2475ccad6120546ea45dbcd6cd1f74dc565ef6b",
"status": "affected",
"version": "bd27568117664b8b3e259721393df420ed51f57b",
"versionType": "git"
},
{
"lessThan": "dd536566dda9a551fc2a2acfab5313a5bb13ed02",
"status": "affected",
"version": "bd27568117664b8b3e259721393df420ed51f57b",
"versionType": "git"
},
{
"lessThan": "0fe8813baf4b2e865d3b2c735ce1a15b86002c74",
"status": "affected",
"version": "bd27568117664b8b3e259721393df420ed51f57b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/events/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.2"
},
{
"lessThan": "6.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/core: Add RCU read lock protection to perf_iterate_ctx()\n\nThe perf_iterate_ctx() function performs RCU list traversal but\ncurrently lacks RCU read lock protection. This causes lockdep warnings\nwhen running perf probe with unshare(1) under CONFIG_PROVE_RCU_LIST=y:\n\n\tWARNING: suspicious RCU usage\n\tkernel/events/core.c:8168 RCU-list traversed in non-reader section!!\n\n\t Call Trace:\n\t lockdep_rcu_suspicious\n\t ? perf_event_addr_filters_apply\n\t perf_iterate_ctx\n\t perf_event_exec\n\t begin_new_exec\n\t ? load_elf_phdrs\n\t load_elf_binary\n\t ? lock_acquire\n\t ? find_held_lock\n\t ? bprm_execve\n\t bprm_execve\n\t do_execveat_common.isra.0\n\t __x64_sys_execve\n\t do_syscall_64\n\t entry_SYSCALL_64_after_hwframe\n\nThis protection was previously present but was removed in commit\nbd2756811766 (\"perf: Rewrite core context handling\"). Add back the\nnecessary rcu_read_lock()/rcu_read_unlock() pair around\nperf_iterate_ctx() call in perf_event_exec().\n\n[ mingo: Use scoped_guard() as suggested by Peter ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:24.688Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f390c2eea571945f357a2d3b9fcb1c015767132e"
},
{
"url": "https://git.kernel.org/stable/c/a2475ccad6120546ea45dbcd6cd1f74dc565ef6b"
},
{
"url": "https://git.kernel.org/stable/c/dd536566dda9a551fc2a2acfab5313a5bb13ed02"
},
{
"url": "https://git.kernel.org/stable/c/0fe8813baf4b2e865d3b2c735ce1a15b86002c74"
}
],
"title": "perf/core: Add RCU read lock protection to perf_iterate_ctx()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21889",
"datePublished": "2025-03-27T14:57:15.897Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:24.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49739 (GCVE-0-2022-49739)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
gfs2: Always check inode size of inline inodes
Check if the inode size of stuffed (inline) inodes is within the allowed
range when reading inodes from disk (gfs2_dinode_in()). This prevents
us from on-disk corruption.
The two checks in stuffed_readpage() and gfs2_unstuffer_page() that just
truncate inline data to the maximum allowed size don't actually make
sense, and they can be removed now as well.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/gfs2/aops.c",
"fs/gfs2/bmap.c",
"fs/gfs2/glops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "45df749f827c286adbc951f2a4865b67f0442ba9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4d4cb76636134bf9a0c9c3432dae936f99954586",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7c414f6f06e9a3934901b6edc3177ae5a1e07094",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "46c9088cabd4d0469fdb61ac2a9c5003057fe94d",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d458a0984429c2d47e60254f5bc4119cbafe83a2",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "70376c7ff31221f1d21db5611d8209e677781d3a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/gfs2/aops.c",
"fs/gfs2/bmap.c",
"fs/gfs2/glops.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.280",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.177",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.280",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.240",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.177",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Always check inode size of inline inodes\n\nCheck if the inode size of stuffed (inline) inodes is within the allowed\nrange when reading inodes from disk (gfs2_dinode_in()). This prevents\nus from on-disk corruption.\n\nThe two checks in stuffed_readpage() and gfs2_unstuffer_page() that just\ntruncate inline data to the maximum allowed size don\u0027t actually make\nsense, and they can be removed now as well."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:21.114Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/45df749f827c286adbc951f2a4865b67f0442ba9"
},
{
"url": "https://git.kernel.org/stable/c/4d4cb76636134bf9a0c9c3432dae936f99954586"
},
{
"url": "https://git.kernel.org/stable/c/7c414f6f06e9a3934901b6edc3177ae5a1e07094"
},
{
"url": "https://git.kernel.org/stable/c/46c9088cabd4d0469fdb61ac2a9c5003057fe94d"
},
{
"url": "https://git.kernel.org/stable/c/d458a0984429c2d47e60254f5bc4119cbafe83a2"
},
{
"url": "https://git.kernel.org/stable/c/70376c7ff31221f1d21db5611d8209e677781d3a"
}
],
"title": "gfs2: Always check inode size of inline inodes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49739",
"datePublished": "2025-03-27T16:42:51.609Z",
"dateReserved": "2025-03-27T16:39:17.986Z",
"dateUpdated": "2025-05-04T08:44:21.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52984 (GCVE-0-2023-52984)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices
The probe() function is only used for the DP83822 PHY, leaving the
private data pointer uninitialized for the smaller DP83825/26 models.
While all uses of the private data structure are hidden in 82822 specific
callbacks, configuring the interrupt is shared across all models.
This causes a NULL pointer dereference on the smaller PHYs as it accesses
the private data unchecked. Verifying the pointer avoids that.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/dp83822.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "362a2f5531dc0e5b0b5b3e3a541000dbffa75461",
"status": "affected",
"version": "5dc39fd5ef35bc6919759fa99246581b1adc6b82",
"versionType": "git"
},
{
"lessThan": "2cd1e9c013ec56421c58921b1ddf1d2d53bd47fa",
"status": "affected",
"version": "5dc39fd5ef35bc6919759fa99246581b1adc6b82",
"versionType": "git"
},
{
"lessThan": "78901b10522cdf6badf24acf65a892637596bccc",
"status": "affected",
"version": "5dc39fd5ef35bc6919759fa99246581b1adc6b82",
"versionType": "git"
},
{
"lessThan": "422ae7d9c7221e8d4c8526d0f54106307d69d2dc",
"status": "affected",
"version": "5dc39fd5ef35bc6919759fa99246581b1adc6b82",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/dp83822.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.10"
},
{
"lessThan": "5.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices\n\nThe probe() function is only used for the DP83822 PHY, leaving the\nprivate data pointer uninitialized for the smaller DP83825/26 models.\nWhile all uses of the private data structure are hidden in 82822 specific\ncallbacks, configuring the interrupt is shared across all models.\nThis causes a NULL pointer dereference on the smaller PHYs as it accesses\nthe private data unchecked. Verifying the pointer avoids that."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:50.571Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/362a2f5531dc0e5b0b5b3e3a541000dbffa75461"
},
{
"url": "https://git.kernel.org/stable/c/2cd1e9c013ec56421c58921b1ddf1d2d53bd47fa"
},
{
"url": "https://git.kernel.org/stable/c/78901b10522cdf6badf24acf65a892637596bccc"
},
{
"url": "https://git.kernel.org/stable/c/422ae7d9c7221e8d4c8526d0f54106307d69d2dc"
}
],
"title": "net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52984",
"datePublished": "2025-03-27T16:43:22.283Z",
"dateReserved": "2025-03-27T16:40:15.740Z",
"dateUpdated": "2025-05-04T07:46:50.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49754 (GCVE-0-2022-49754)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
Smatch Warning:
net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()
'mesh_tx->param' too small (48 vs 50)
Analysis:
'mesh_tx->param' is array of size 48. This is the destination.
u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.
But in the caller 'mesh_send' we reject only when len > 50.
len > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt_util.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed818fd8c531abf561b379995ee7cc4c68029464",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
},
{
"lessThan": "2185e0fdbb2137f22a9dd9fcbf6481400d56299b",
"status": "affected",
"version": "b338d91703fae6f6afd67f3f75caa3b8f36ddef3",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/mgmt_util.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix a buffer overflow in mgmt_mesh_add()\n\nSmatch Warning:\nnet/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()\n\u0027mesh_tx-\u003eparam\u0027 too small (48 vs 50)\n\nAnalysis:\n\n\u0027mesh_tx-\u003eparam\u0027 is array of size 48. This is the destination.\nu8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.\n\nBut in the caller \u0027mesh_send\u0027 we reject only when len \u003e 50.\nlen \u003e (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:40.681Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed818fd8c531abf561b379995ee7cc4c68029464"
},
{
"url": "https://git.kernel.org/stable/c/2185e0fdbb2137f22a9dd9fcbf6481400d56299b"
}
],
"title": "Bluetooth: Fix a buffer overflow in mgmt_mesh_add()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49754",
"datePublished": "2025-03-27T16:43:02.049Z",
"dateReserved": "2025-03-27T16:39:17.988Z",
"dateUpdated": "2025-05-04T08:44:40.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21892 (GCVE-0-2025-21892)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 13:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix the recovery flow of the UMR QP
This patch addresses an issue in the recovery flow of the UMR QP,
ensuring tasks do not get stuck, as highlighted by the call trace [1].
During recovery, before transitioning the QP to the RESET state, the
software must wait for all outstanding WRs to complete.
Failing to do so can cause the firmware to skip sending some flushed
CQEs with errors and simply discard them upon the RESET, as per the IB
specification.
This race condition can result in lost CQEs and tasks becoming stuck.
To resolve this, the patch sends a final WR which serves only as a
barrier before moving the QP state to RESET.
Once a CQE is received for that final WR, it guarantees that no
outstanding WRs remain, making it safe to transition the QP to RESET and
subsequently back to RTS, restoring proper functionality.
Note:
For the barrier WR, we simply reuse the failed and ready WR.
Since the QP is in an error state, it will only receive
IB_WC_WR_FLUSH_ERR. However, as it serves only as a barrier we don't
care about its status.
[1]
INFO: task rdma_resource_l:1922 blocked for more than 120 seconds.
Tainted: G W 6.12.0-rc7+ #1626
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:rdma_resource_l state:D stack:0 pid:1922 tgid:1922 ppid:1369
flags:0x00004004
Call Trace:
<TASK>
__schedule+0x420/0xd30
schedule+0x47/0x130
schedule_timeout+0x280/0x300
? mark_held_locks+0x48/0x80
? lockdep_hardirqs_on_prepare+0xe5/0x1a0
wait_for_completion+0x75/0x130
mlx5r_umr_post_send_wait+0x3c2/0x5b0 [mlx5_ib]
? __pfx_mlx5r_umr_done+0x10/0x10 [mlx5_ib]
mlx5r_umr_revoke_mr+0x93/0xc0 [mlx5_ib]
__mlx5_ib_dereg_mr+0x299/0x520 [mlx5_ib]
? _raw_spin_unlock_irq+0x24/0x40
? wait_for_completion+0xfe/0x130
? rdma_restrack_put+0x63/0xe0 [ib_core]
ib_dereg_mr_user+0x5f/0x120 [ib_core]
? lock_release+0xc6/0x280
destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]
uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]
uobj_destroy+0x3f/0x70 [ib_uverbs]
ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]
? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]
? __lock_acquire+0x64e/0x2080
? mark_held_locks+0x48/0x80
? find_held_lock+0x2d/0xa0
? lock_acquire+0xc1/0x2f0
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
? __fget_files+0xc3/0x1b0
ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
__x64_sys_ioctl+0x1b0/0xa70
do_syscall_64+0x6b/0x140
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f99c918b17b
RSP: 002b:00007ffc766d0468 EFLAGS: 00000246 ORIG_RAX:
0000000000000010
RAX: ffffffffffffffda RBX: 00007ffc766d0578 RCX:
00007f99c918b17b
RDX: 00007ffc766d0560 RSI: 00000000c0181b01 RDI:
0000000000000003
RBP: 00007ffc766d0540 R08: 00007f99c8f99010 R09:
000000000000bd7e
R10: 00007f99c94c1c70 R11: 0000000000000246 R12:
00007ffc766d0530
R13: 000000000000001c R14: 0000000040246a80 R15:
0000000000000000
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/umr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3e3bf255992cc02404e9d209b127c1c9944239cf",
"status": "affected",
"version": "158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2",
"versionType": "git"
},
{
"lessThan": "1d2b84d8d054313deed2b2fcafe1168bbcb9e99f",
"status": "affected",
"version": "158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2",
"versionType": "git"
},
{
"lessThan": "d97505baea64d93538b16baf14ce7b8c1fbad746",
"status": "affected",
"version": "158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2",
"versionType": "git"
},
{
"status": "affected",
"version": "d8f7bff9a42627d37f4ecffeb01e44db42167175",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/umr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix the recovery flow of the UMR QP\n\nThis patch addresses an issue in the recovery flow of the UMR QP,\nensuring tasks do not get stuck, as highlighted by the call trace [1].\n\nDuring recovery, before transitioning the QP to the RESET state, the\nsoftware must wait for all outstanding WRs to complete.\n\nFailing to do so can cause the firmware to skip sending some flushed\nCQEs with errors and simply discard them upon the RESET, as per the IB\nspecification.\n\nThis race condition can result in lost CQEs and tasks becoming stuck.\n\nTo resolve this, the patch sends a final WR which serves only as a\nbarrier before moving the QP state to RESET.\n\nOnce a CQE is received for that final WR, it guarantees that no\noutstanding WRs remain, making it safe to transition the QP to RESET and\nsubsequently back to RTS, restoring proper functionality.\n\nNote:\nFor the barrier WR, we simply reuse the failed and ready WR.\nSince the QP is in an error state, it will only receive\nIB_WC_WR_FLUSH_ERR. However, as it serves only as a barrier we don\u0027t\ncare about its status.\n\n[1]\nINFO: task rdma_resource_l:1922 blocked for more than 120 seconds.\nTainted: G W 6.12.0-rc7+ #1626\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:rdma_resource_l state:D stack:0 pid:1922 tgid:1922 ppid:1369\n flags:0x00004004\nCall Trace:\n\u003cTASK\u003e\n__schedule+0x420/0xd30\nschedule+0x47/0x130\nschedule_timeout+0x280/0x300\n? mark_held_locks+0x48/0x80\n? lockdep_hardirqs_on_prepare+0xe5/0x1a0\nwait_for_completion+0x75/0x130\nmlx5r_umr_post_send_wait+0x3c2/0x5b0 [mlx5_ib]\n? __pfx_mlx5r_umr_done+0x10/0x10 [mlx5_ib]\nmlx5r_umr_revoke_mr+0x93/0xc0 [mlx5_ib]\n__mlx5_ib_dereg_mr+0x299/0x520 [mlx5_ib]\n? _raw_spin_unlock_irq+0x24/0x40\n? wait_for_completion+0xfe/0x130\n? rdma_restrack_put+0x63/0xe0 [ib_core]\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? __lock_acquire+0x64e/0x2080\n? mark_held_locks+0x48/0x80\n? find_held_lock+0x2d/0xa0\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? __fget_files+0xc3/0x1b0\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n__x64_sys_ioctl+0x1b0/0xa70\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f99c918b17b\nRSP: 002b:00007ffc766d0468 EFLAGS: 00000246 ORIG_RAX:\n 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffc766d0578 RCX:\n 00007f99c918b17b\nRDX: 00007ffc766d0560 RSI: 00000000c0181b01 RDI:\n 0000000000000003\nRBP: 00007ffc766d0540 R08: 00007f99c8f99010 R09:\n 000000000000bd7e\nR10: 00007f99c94c1c70 R11: 0000000000000246 R12:\n 00007ffc766d0530\nR13: 000000000000001c R14: 0000000040246a80 R15:\n 0000000000000000\n\u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T13:06:41.507Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3e3bf255992cc02404e9d209b127c1c9944239cf"
},
{
"url": "https://git.kernel.org/stable/c/1d2b84d8d054313deed2b2fcafe1168bbcb9e99f"
},
{
"url": "https://git.kernel.org/stable/c/d97505baea64d93538b16baf14ce7b8c1fbad746"
}
],
"title": "RDMA/mlx5: Fix the recovery flow of the UMR QP",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21892",
"datePublished": "2025-03-27T14:57:17.885Z",
"dateReserved": "2024-12-29T08:45:45.783Z",
"dateUpdated": "2025-05-04T13:06:41.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53025 (GCVE-0-2023-53025)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-06-05T14:53:39.739Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53025",
"datePublished": "2025-03-27T16:43:50.536Z",
"dateRejected": "2025-06-05T14:53:39.739Z",
"dateReserved": "2025-03-27T16:40:15.755Z",
"dateUpdated": "2025-06-05T14:53:39.739Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21891 (GCVE-0-2025-21891)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipvlan: ensure network headers are in skb linear part
syzbot found that ipvlan_process_v6_outbound() was assuming
the IPv6 network header isis present in skb->head [1]
Add the needed pskb_network_may_pull() calls for both
IPv4 and IPv6 handlers.
[1]
BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47
__ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47
ipv6_addr_type include/net/ipv6.h:555 [inline]
ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline]
ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651
ip6_route_output include/net/ip6_route.h:93 [inline]
ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476
ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline]
ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline]
ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline]
ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671
ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223
__netdev_start_xmit include/linux/netdevice.h:5150 [inline]
netdev_start_xmit include/linux/netdevice.h:5159 [inline]
xmit_one net/core/dev.c:3735 [inline]
dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751
sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343
qdisc_restart net/sched/sch_generic.c:408 [inline]
__qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416
qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127
net_tx_action+0x78b/0x940 net/core/dev.c:5484
handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561
__do_softirq+0x14/0x1a kernel/softirq.c:595
do_softirq+0x9a/0x100 kernel/softirq.c:462
__local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]
__dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611
dev_queue_xmit include/linux/netdevice.h:3311 [inline]
packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3132 [inline]
packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164
sock_sendmsg_nosec net/socket.c:718 [inline]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 2ad7bf3638411cb547f2823df08166c13ab04269 Version: 2ad7bf3638411cb547f2823df08166c13ab04269 Version: 2ad7bf3638411cb547f2823df08166c13ab04269 Version: 2ad7bf3638411cb547f2823df08166c13ab04269 Version: 2ad7bf3638411cb547f2823df08166c13ab04269 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5b8dea8d1612dc7151d2457d7d2e6a69820309bf",
"status": "affected",
"version": "2ad7bf3638411cb547f2823df08166c13ab04269",
"versionType": "git"
},
{
"lessThan": "4ec48f812804f370f622e0874e6dd8fcc58241cd",
"status": "affected",
"version": "2ad7bf3638411cb547f2823df08166c13ab04269",
"versionType": "git"
},
{
"lessThan": "5353fd89663c48f56bdff975c562cfe78b1a2e4c",
"status": "affected",
"version": "2ad7bf3638411cb547f2823df08166c13ab04269",
"versionType": "git"
},
{
"lessThan": "e2a4f76a2d8a44816ecd25bcbdb47b786d621974",
"status": "affected",
"version": "2ad7bf3638411cb547f2823df08166c13ab04269",
"versionType": "git"
},
{
"lessThan": "27843ce6ba3d3122b65066550fe33fb8839f8aef",
"status": "affected",
"version": "2ad7bf3638411cb547f2823df08166c13ab04269",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ipvlan/ipvlan_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "3.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: ensure network headers are in skb linear part\n\nsyzbot found that ipvlan_process_v6_outbound() was assuming\nthe IPv6 network header isis present in skb-\u003ehead [1]\n\nAdd the needed pskb_network_may_pull() calls for both\nIPv4 and IPv6 handlers.\n\n[1]\nBUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47\n ipv6_addr_type include/net/ipv6.h:555 [inline]\n ip6_route_output_flags_noref net/ipv6/route.c:2616 [inline]\n ip6_route_output_flags+0x51/0x720 net/ipv6/route.c:2651\n ip6_route_output include/net/ip6_route.h:93 [inline]\n ipvlan_route_v6_outbound+0x24e/0x520 drivers/net/ipvlan/ipvlan_core.c:476\n ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:491 [inline]\n ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:541 [inline]\n ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:605 [inline]\n ipvlan_queue_xmit+0xd72/0x1780 drivers/net/ipvlan/ipvlan_core.c:671\n ipvlan_start_xmit+0x5b/0x210 drivers/net/ipvlan/ipvlan_main.c:223\n __netdev_start_xmit include/linux/netdevice.h:5150 [inline]\n netdev_start_xmit include/linux/netdevice.h:5159 [inline]\n xmit_one net/core/dev.c:3735 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3751\n sch_direct_xmit+0x399/0xd40 net/sched/sch_generic.c:343\n qdisc_restart net/sched/sch_generic.c:408 [inline]\n __qdisc_run+0x14da/0x35d0 net/sched/sch_generic.c:416\n qdisc_run+0x141/0x4d0 include/net/pkt_sched.h:127\n net_tx_action+0x78b/0x940 net/core/dev.c:5484\n handle_softirqs+0x1a0/0x7c0 kernel/softirq.c:561\n __do_softirq+0x14/0x1a kernel/softirq.c:595\n do_softirq+0x9a/0x100 kernel/softirq.c:462\n __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:389\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:919 [inline]\n __dev_queue_xmit+0x2758/0x57d0 net/core/dev.c:4611\n dev_queue_xmit include/linux/netdevice.h:3311 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3132 [inline]\n packet_sendmsg+0x93e0/0xa7e0 net/packet/af_packet.c:3164\n sock_sendmsg_nosec net/socket.c:718 [inline]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:27.454Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5b8dea8d1612dc7151d2457d7d2e6a69820309bf"
},
{
"url": "https://git.kernel.org/stable/c/4ec48f812804f370f622e0874e6dd8fcc58241cd"
},
{
"url": "https://git.kernel.org/stable/c/5353fd89663c48f56bdff975c562cfe78b1a2e4c"
},
{
"url": "https://git.kernel.org/stable/c/e2a4f76a2d8a44816ecd25bcbdb47b786d621974"
},
{
"url": "https://git.kernel.org/stable/c/27843ce6ba3d3122b65066550fe33fb8839f8aef"
}
],
"title": "ipvlan: ensure network headers are in skb linear part",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21891",
"datePublished": "2025-03-27T14:57:17.267Z",
"dateReserved": "2024-12-29T08:45:45.783Z",
"dateUpdated": "2025-05-04T07:23:27.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53008 (GCVE-0-2023-53008)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
cifs: fix potential memory leaks in session setup
Make sure to free cifs_ses::auth_key.response before allocating it as
we might end up leaking memory in reconnect or mounting.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsencrypt.c",
"fs/cifs/sess.c",
"fs/cifs/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "893d45394dbe4b5cbf3723c19e2ccc8b93a6ac9b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2fe58d977ee05da5bb89ef5dc4f5bf2dc15db46f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/cifs/cifsencrypt.c",
"fs/cifs/sess.c",
"fs/cifs/smb2pdu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix potential memory leaks in session setup\n\nMake sure to free cifs_ses::auth_key.response before allocating it as\nwe might end up leaking memory in reconnect or mounting."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:29.791Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/893d45394dbe4b5cbf3723c19e2ccc8b93a6ac9b"
},
{
"url": "https://git.kernel.org/stable/c/2fe58d977ee05da5bb89ef5dc4f5bf2dc15db46f"
}
],
"title": "cifs: fix potential memory leaks in session setup",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53008",
"datePublished": "2025-03-27T16:43:38.718Z",
"dateReserved": "2025-03-27T16:40:15.746Z",
"dateUpdated": "2025-05-04T07:47:29.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52982 (GCVE-0-2023-52982)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fscache: Use wait_on_bit() to wait for the freeing of relinquished volume
The freeing of relinquished volume will wake up the pending volume
acquisition by using wake_up_bit(), however it is mismatched with
wait_var_event() used in fscache_wait_on_volume_collision() and it will
never wake up the waiter in the wait-queue because these two functions
operate on different wait-queues.
According to the implementation in fscache_wait_on_volume_collision(),
if the wake-up of pending acquisition is delayed longer than 20 seconds
(e.g., due to the delay of on-demand fd closing), the first
wait_var_event_timeout() will timeout and the following wait_var_event()
will hang forever as shown below:
FS-Cache: Potential volume collision new=00000024 old=00000022
......
INFO: task mount:1148 blocked for more than 122 seconds.
Not tainted 6.1.0-rc6+ #1
task:mount state:D stack:0 pid:1148 ppid:1
Call Trace:
<TASK>
__schedule+0x2f6/0xb80
schedule+0x67/0xe0
fscache_wait_on_volume_collision.cold+0x80/0x82
__fscache_acquire_volume+0x40d/0x4e0
erofs_fscache_register_volume+0x51/0xe0 [erofs]
erofs_fscache_register_fs+0x19c/0x240 [erofs]
erofs_fc_fill_super+0x746/0xaf0 [erofs]
vfs_get_super+0x7d/0x100
get_tree_nodev+0x16/0x20
erofs_fc_get_tree+0x20/0x30 [erofs]
vfs_get_tree+0x24/0xb0
path_mount+0x2fa/0xa90
do_mount+0x7c/0xa0
__x64_sys_mount+0x8b/0xe0
do_syscall_64+0x30/0x60
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Considering that wake_up_bit() is more selective, so fix it by using
wait_on_bit() instead of wait_var_event() to wait for the freeing of
relinquished volume. In addition because waitqueue_active() is used in
wake_up_bit() and clear_bit() doesn't imply any memory barrier, use
clear_and_wake_up_bit() to add the missing memory barrier between
cursor->flags and waitqueue_active().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/fscache/volume.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3be069f42a7b79d3149194f21cdf24bf23864cac",
"status": "affected",
"version": "62ab63352350e881ae693a8236b35d7d0516c78b",
"versionType": "git"
},
{
"lessThan": "8226e37d82f43657da34dd770e2b38f20242ada7",
"status": "affected",
"version": "62ab63352350e881ae693a8236b35d7d0516c78b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/fscache/volume.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscache: Use wait_on_bit() to wait for the freeing of relinquished volume\n\nThe freeing of relinquished volume will wake up the pending volume\nacquisition by using wake_up_bit(), however it is mismatched with\nwait_var_event() used in fscache_wait_on_volume_collision() and it will\nnever wake up the waiter in the wait-queue because these two functions\noperate on different wait-queues.\n\nAccording to the implementation in fscache_wait_on_volume_collision(),\nif the wake-up of pending acquisition is delayed longer than 20 seconds\n(e.g., due to the delay of on-demand fd closing), the first\nwait_var_event_timeout() will timeout and the following wait_var_event()\nwill hang forever as shown below:\n\n FS-Cache: Potential volume collision new=00000024 old=00000022\n ......\n INFO: task mount:1148 blocked for more than 122 seconds.\n Not tainted 6.1.0-rc6+ #1\n task:mount state:D stack:0 pid:1148 ppid:1\n Call Trace:\n \u003cTASK\u003e\n __schedule+0x2f6/0xb80\n schedule+0x67/0xe0\n fscache_wait_on_volume_collision.cold+0x80/0x82\n __fscache_acquire_volume+0x40d/0x4e0\n erofs_fscache_register_volume+0x51/0xe0 [erofs]\n erofs_fscache_register_fs+0x19c/0x240 [erofs]\n erofs_fc_fill_super+0x746/0xaf0 [erofs]\n vfs_get_super+0x7d/0x100\n get_tree_nodev+0x16/0x20\n erofs_fc_get_tree+0x20/0x30 [erofs]\n vfs_get_tree+0x24/0xb0\n path_mount+0x2fa/0xa90\n do_mount+0x7c/0xa0\n __x64_sys_mount+0x8b/0xe0\n do_syscall_64+0x30/0x60\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nConsidering that wake_up_bit() is more selective, so fix it by using\nwait_on_bit() instead of wait_var_event() to wait for the freeing of\nrelinquished volume. In addition because waitqueue_active() is used in\nwake_up_bit() and clear_bit() doesn\u0027t imply any memory barrier, use\nclear_and_wake_up_bit() to add the missing memory barrier between\ncursor-\u003eflags and waitqueue_active()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:47.540Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3be069f42a7b79d3149194f21cdf24bf23864cac"
},
{
"url": "https://git.kernel.org/stable/c/8226e37d82f43657da34dd770e2b38f20242ada7"
}
],
"title": "fscache: Use wait_on_bit() to wait for the freeing of relinquished volume",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52982",
"datePublished": "2025-03-27T16:43:20.735Z",
"dateReserved": "2025-03-27T16:40:15.740Z",
"dateUpdated": "2025-05-04T07:46:47.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53017 (GCVE-0-2023-53017)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_sync: fix memory leak in hci_update_adv_data()
When hci_cmd_sync_queue() failed in hci_update_adv_data(), inst_ptr is
not freed, which will cause memory leak, convert to use ERR_PTR/PTR_ERR
to pass the instance to callback so no memory needs to be allocated.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8ac6043bd3e5b58d30f50737aedc2e58e8087ad5",
"status": "affected",
"version": "651cd3d65b0f76a2198fcf3a80ce5d53dd267717",
"versionType": "git"
},
{
"lessThan": "1ed8b37cbaf14574c779064ef1372af62e8ba6aa",
"status": "affected",
"version": "651cd3d65b0f76a2198fcf3a80ce5d53dd267717",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/hci_sync.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sync: fix memory leak in hci_update_adv_data()\n\nWhen hci_cmd_sync_queue() failed in hci_update_adv_data(), inst_ptr is\nnot freed, which will cause memory leak, convert to use ERR_PTR/PTR_ERR\nto pass the instance to callback so no memory needs to be allocated."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:45.879Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8ac6043bd3e5b58d30f50737aedc2e58e8087ad5"
},
{
"url": "https://git.kernel.org/stable/c/1ed8b37cbaf14574c779064ef1372af62e8ba6aa"
}
],
"title": "Bluetooth: hci_sync: fix memory leak in hci_update_adv_data()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53017",
"datePublished": "2025-03-27T16:43:45.211Z",
"dateReserved": "2025-03-27T16:40:15.750Z",
"dateUpdated": "2025-05-04T07:47:45.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21883 (GCVE-0-2025-21883)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix deinitializing VF in error path
If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees
all VFs without removing them from snapshot PF-VF mailbox list, leading
to list corruption.
Reproducer:
devlink dev eswitch set $PF1_PCI mode switchdev
ip l s $PF1 up
ip l s $PF1 promisc on
sleep 1
echo 1 > /sys/class/net/$PF1/device/sriov_numvfs
sleep 1
echo 1 > /sys/class/net/$PF1/device/sriov_numvfs
Trace (minimized):
list_add corruption. next->prev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330).
kernel BUG at lib/list_debug.c:29!
RIP: 0010:__list_add_valid_or_report+0xa6/0x100
ice_mbx_init_vf_info+0xa7/0x180 [ice]
ice_initialize_vf_entry+0x1fa/0x250 [ice]
ice_sriov_configure+0x8d7/0x1520 [ice]
? __percpu_ref_switch_mode+0x1b1/0x5d0
? __pfx_ice_sriov_configure+0x10/0x10 [ice]
Sometimes a KASAN report can be seen instead with a similar stack trace:
BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100
VFs are added to this list in ice_mbx_init_vf_info(), but only removed
in ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is
also being called in other places where VFs are being removed (including
ice_free_vfs() itself).
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_sriov.c",
"drivers/net/ethernet/intel/ice/ice_vf_lib.c",
"drivers/net/ethernet/intel/ice/ice_vf_lib_private.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c01102bec9592928e6b155da41cfcd5d25a2066",
"status": "affected",
"version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
"versionType": "git"
},
{
"lessThan": "a4880583f88deba63504ce1c8287a70d39c01378",
"status": "affected",
"version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
"versionType": "git"
},
{
"lessThan": "34393fd78d7183a007eaf0090966ebedcc29bd57",
"status": "affected",
"version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
"versionType": "git"
},
{
"lessThan": "79990cf5e7aded76d0c092c9f5ed31eb1c75e02c",
"status": "affected",
"version": "8cd8a6b17d275a45e3722d0215f6115b687c8c3e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/ice/ice_sriov.c",
"drivers/net/ethernet/intel/ice/ice_vf_lib.c",
"drivers/net/ethernet/intel/ice/ice_vf_lib_private.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix deinitializing VF in error path\n\nIf ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees\nall VFs without removing them from snapshot PF-VF mailbox list, leading\nto list corruption.\n\nReproducer:\n devlink dev eswitch set $PF1_PCI mode switchdev\n ip l s $PF1 up\n ip l s $PF1 promisc on\n sleep 1\n echo 1 \u003e /sys/class/net/$PF1/device/sriov_numvfs\n sleep 1\n echo 1 \u003e /sys/class/net/$PF1/device/sriov_numvfs\n\nTrace (minimized):\n list_add corruption. next-\u003eprev should be prev (ffff8882e241c6f0), but was 0000000000000000. (next=ffff888455da1330).\n kernel BUG at lib/list_debug.c:29!\n RIP: 0010:__list_add_valid_or_report+0xa6/0x100\n ice_mbx_init_vf_info+0xa7/0x180 [ice]\n ice_initialize_vf_entry+0x1fa/0x250 [ice]\n ice_sriov_configure+0x8d7/0x1520 [ice]\n ? __percpu_ref_switch_mode+0x1b1/0x5d0\n ? __pfx_ice_sriov_configure+0x10/0x10 [ice]\n\nSometimes a KASAN report can be seen instead with a similar stack trace:\n BUG: KASAN: use-after-free in __list_add_valid_or_report+0xf1/0x100\n\nVFs are added to this list in ice_mbx_init_vf_info(), but only removed\nin ice_free_vfs(). Move the removing to ice_free_vf_entries(), which is\nalso being called in other places where VFs are being removed (including\nice_free_vfs() itself)."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:16.768Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c01102bec9592928e6b155da41cfcd5d25a2066"
},
{
"url": "https://git.kernel.org/stable/c/a4880583f88deba63504ce1c8287a70d39c01378"
},
{
"url": "https://git.kernel.org/stable/c/34393fd78d7183a007eaf0090966ebedcc29bd57"
},
{
"url": "https://git.kernel.org/stable/c/79990cf5e7aded76d0c092c9f5ed31eb1c75e02c"
}
],
"title": "ice: Fix deinitializing VF in error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21883",
"datePublished": "2025-03-27T14:57:11.766Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:16.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49747 (GCVE-0-2022-49747)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
erofs/zmap.c: Fix incorrect offset calculation
Effective offset to add to length was being incorrectly calculated,
which resulted in iomap->length being set to 0, triggering a WARN_ON
in iomap_iter_done().
Fix that, and describe it in comments.
This was reported as a crash by syzbot under an issue about a warning
encountered in iomap_iter_done(), but unrelated to erofs.
C reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=1037a6b2880000
Kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=e2021a61197ebe02
Dashboard link: https://syzkaller.appspot.com/bug?extid=a8e049cd3abd342936b6
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/erofs/zmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2144859229c1e74f52d3ea067338d314a83a8afb",
"status": "affected",
"version": "eadcd6b5a1eb39866ab8d8a3e4f2e51bc51a2350",
"versionType": "git"
},
{
"lessThan": "9f31d8c889d9a4e47bfcc6c4537d0c9f89fe582c",
"status": "affected",
"version": "eadcd6b5a1eb39866ab8d8a3e4f2e51bc51a2350",
"versionType": "git"
},
{
"lessThan": "6acd87d50998ef0afafc441613aeaf5a8f5c9eff",
"status": "affected",
"version": "eadcd6b5a1eb39866ab8d8a3e4f2e51bc51a2350",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/erofs/zmap.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.92",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.92",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.10",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs/zmap.c: Fix incorrect offset calculation\n\nEffective offset to add to length was being incorrectly calculated,\nwhich resulted in iomap-\u003elength being set to 0, triggering a WARN_ON\nin iomap_iter_done().\n\nFix that, and describe it in comments.\n\nThis was reported as a crash by syzbot under an issue about a warning\nencountered in iomap_iter_done(), but unrelated to erofs.\n\nC reproducer: https://syzkaller.appspot.com/text?tag=ReproC\u0026x=1037a6b2880000\nKernel config: https://syzkaller.appspot.com/text?tag=KernelConfig\u0026x=e2021a61197ebe02\nDashboard link: https://syzkaller.appspot.com/bug?extid=a8e049cd3abd342936b6"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:31.027Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2144859229c1e74f52d3ea067338d314a83a8afb"
},
{
"url": "https://git.kernel.org/stable/c/9f31d8c889d9a4e47bfcc6c4537d0c9f89fe582c"
},
{
"url": "https://git.kernel.org/stable/c/6acd87d50998ef0afafc441613aeaf5a8f5c9eff"
}
],
"title": "erofs/zmap.c: Fix incorrect offset calculation",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49747",
"datePublished": "2025-03-27T16:42:57.094Z",
"dateReserved": "2025-03-27T16:39:17.987Z",
"dateUpdated": "2025-05-04T08:44:31.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53009 (GCVE-0-2023-53009)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Add sync after creating vram bo
There will be data corruption on vram allocated by svm
if the initialization is not complete and application is
writting on the memory. Adding sync to wait for the
initialization completion is to resolve this issue.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "92af2d3b57a1afdfdcafb1c6a07ffd89cf3e98fb",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
},
{
"lessThan": "ba029e9991d9be90a28b6a0ceb25e9a6fb348829",
"status": "affected",
"version": "42de677f79999791bee4e21be318c32d90ab62c6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/amdkfd/kfd_svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Add sync after creating vram bo\n\nThere will be data corruption on vram allocated by svm\nif the initialization is not complete and application is\nwritting on the memory. Adding sync to wait for the\ninitialization completion is to resolve this issue."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:31.021Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/92af2d3b57a1afdfdcafb1c6a07ffd89cf3e98fb"
},
{
"url": "https://git.kernel.org/stable/c/ba029e9991d9be90a28b6a0ceb25e9a6fb348829"
}
],
"title": "drm/amdkfd: Add sync after creating vram bo",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53009",
"datePublished": "2025-03-27T16:43:39.481Z",
"dateReserved": "2025-03-27T16:40:15.746Z",
"dateUpdated": "2025-05-04T07:47:31.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53007 (GCVE-0-2023-53007)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tracing: Make sure trace_printk() can output as soon as it can be used
Currently trace_printk() can be used as soon as early_trace_init() is
called from start_kernel(). But if a crash happens, and
"ftrace_dump_on_oops" is set on the kernel command line, all you get will
be:
[ 0.456075] <idle>-0 0dN.2. 347519us : Unknown type 6
[ 0.456075] <idle>-0 0dN.2. 353141us : Unknown type 6
[ 0.456075] <idle>-0 0dN.2. 358684us : Unknown type 6
This is because the trace_printk() event (type 6) hasn't been registered
yet. That gets done via an early_initcall(), which may be early, but not
early enough.
Instead of registering the trace_printk() event (and other ftrace events,
which are not trace events) via an early_initcall(), have them registered at
the same time that trace_printk() can be used. This way, if there is a
crash before early_initcall(), then the trace_printk()s will actually be
useful.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 Version: e725c731e3bb1e892e7b564c945b121cb41d1087 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c",
"kernel/trace/trace.h",
"kernel/trace/trace_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f97eb0ab066133483a65c93eb894748de2f6b598",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "b94d7c7654356860dd7719120c7d15ba38b6162a",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "76b2390fdc80c0a8300e5da5b6b62d201b6fe9ce",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "de3930a4883ddad2244efd6d349013294c62c75c",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "b0af180514edea6c83dc9a299d9f383009c99f25",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "198c83963f6335ca6d690cff067679560f2a3a22",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
},
{
"lessThan": "3bb06eb6e9acf7c4a3e1b5bc87aed398ff8e2253",
"status": "affected",
"version": "e725c731e3bb1e892e7b564c945b121cb41d1087",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/trace/trace.c",
"kernel/trace/trace.h",
"kernel/trace/trace_output.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Make sure trace_printk() can output as soon as it can be used\n\nCurrently trace_printk() can be used as soon as early_trace_init() is\ncalled from start_kernel(). But if a crash happens, and\n\"ftrace_dump_on_oops\" is set on the kernel command line, all you get will\nbe:\n\n [ 0.456075] \u003cidle\u003e-0 0dN.2. 347519us : Unknown type 6\n [ 0.456075] \u003cidle\u003e-0 0dN.2. 353141us : Unknown type 6\n [ 0.456075] \u003cidle\u003e-0 0dN.2. 358684us : Unknown type 6\n\nThis is because the trace_printk() event (type 6) hasn\u0027t been registered\nyet. That gets done via an early_initcall(), which may be early, but not\nearly enough.\n\nInstead of registering the trace_printk() event (and other ftrace events,\nwhich are not trace events) via an early_initcall(), have them registered at\nthe same time that trace_printk() can be used. This way, if there is a\ncrash before early_initcall(), then the trace_printk()s will actually be\nuseful."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:23.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f97eb0ab066133483a65c93eb894748de2f6b598"
},
{
"url": "https://git.kernel.org/stable/c/b94d7c7654356860dd7719120c7d15ba38b6162a"
},
{
"url": "https://git.kernel.org/stable/c/76b2390fdc80c0a8300e5da5b6b62d201b6fe9ce"
},
{
"url": "https://git.kernel.org/stable/c/de3930a4883ddad2244efd6d349013294c62c75c"
},
{
"url": "https://git.kernel.org/stable/c/b0af180514edea6c83dc9a299d9f383009c99f25"
},
{
"url": "https://git.kernel.org/stable/c/198c83963f6335ca6d690cff067679560f2a3a22"
},
{
"url": "https://git.kernel.org/stable/c/3bb06eb6e9acf7c4a3e1b5bc87aed398ff8e2253"
}
],
"title": "tracing: Make sure trace_printk() can output as soon as it can be used",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53007",
"datePublished": "2025-03-27T16:43:38.102Z",
"dateReserved": "2025-03-27T16:40:15.745Z",
"dateUpdated": "2025-05-04T07:47:23.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52977 (GCVE-0-2023-52977)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: openvswitch: fix flow memory leak in ovs_flow_cmd_new
Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is
not freed when an allocation of a key fails.
BUG: memory leak
unreferenced object 0xffff888116668000 (size 632):
comm "syz-executor231", pid 1090, jiffies 4294844701 (age 18.871s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000defa3494>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
[<00000000defa3494>] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77
[<00000000c67d8873>] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957
[<0000000010a539a8>] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739
[<00000000dff3302d>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
[<00000000dff3302d>] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800
[<000000000286dd87>] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515
[<0000000061fed410>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
[<000000009dc0f111>] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
[<000000009dc0f111>] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339
[<000000004a5ee816>] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934
[<00000000482b476f>] sock_sendmsg_nosec net/socket.c:651 [inline]
[<00000000482b476f>] sock_sendmsg+0x152/0x190 net/socket.c:671
[<00000000698574ba>] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356
[<00000000d28d9e11>] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410
[<0000000083ba9120>] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
[<00000000c00628f8>] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
[<000000004abfdcf4>] entry_SYSCALL_64_after_hwframe+0x61/0xc6
To fix this the patch rearranges the goto labels to reflect the order of
object allocations and adds appropriate goto statements on the error
paths.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 655e873bf528f0f46ce6b069f9a2daee9621197c Version: ee27d70556a47c3a07e65a60f47e3ea12a255af8 Version: 8b74211bf60b3e0c0ed4fe3d16c92ffdcaaf34eb Version: 6736b61ecf230dd656464de0f514bdeadb384f20 Version: 0133615a06007684df648feb9d327714e399afd4 Version: 32d5fa5bdccec2361fc6c4ed05a7367155b3a1e9 Version: 68bb10101e6b0a6bb44e9c908ef795fc4af99eae Version: 4f592e712ea2132f511d545954867d7880df5be2 Version: a991a411c3e21ef22507400dbb179ae02029d42c |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1ac653cf886cdfc082708c82dc6ac6115cebd2ee",
"status": "affected",
"version": "655e873bf528f0f46ce6b069f9a2daee9621197c",
"versionType": "git"
},
{
"lessThan": "af4e720bc00a2653f7b9df21755b9978b3d7f386",
"status": "affected",
"version": "ee27d70556a47c3a07e65a60f47e3ea12a255af8",
"versionType": "git"
},
{
"lessThan": "ed6c5e8caf55778500202775167e8ccdb1a030cb",
"status": "affected",
"version": "8b74211bf60b3e0c0ed4fe3d16c92ffdcaaf34eb",
"versionType": "git"
},
{
"lessThan": "70154489f531587996f3e9d7cceeee65cff0001d",
"status": "affected",
"version": "6736b61ecf230dd656464de0f514bdeadb384f20",
"versionType": "git"
},
{
"lessThan": "f423c2efd51d7eb1d143c2be7eea233241d9bbbf",
"status": "affected",
"version": "0133615a06007684df648feb9d327714e399afd4",
"versionType": "git"
},
{
"lessThan": "70d40674a549d498bd63d5432acf46205da1534b",
"status": "affected",
"version": "32d5fa5bdccec2361fc6c4ed05a7367155b3a1e9",
"versionType": "git"
},
{
"lessThan": "0c598aed445eb45b0ee7ba405f7ece99ee349c30",
"status": "affected",
"version": "68bb10101e6b0a6bb44e9c908ef795fc4af99eae",
"versionType": "git"
},
{
"status": "affected",
"version": "4f592e712ea2132f511d545954867d7880df5be2",
"versionType": "git"
},
{
"status": "affected",
"version": "a991a411c3e21ef22507400dbb179ae02029d42c",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/openvswitch/datapath.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4.14.306",
"status": "affected",
"version": "4.14.303",
"versionType": "semver"
},
{
"lessThan": "4.19.273",
"status": "affected",
"version": "4.19.270",
"versionType": "semver"
},
{
"lessThan": "5.4.232",
"status": "affected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThan": "5.10.168",
"status": "affected",
"version": "5.10.163",
"versionType": "semver"
},
{
"lessThan": "5.15.93",
"status": "affected",
"version": "5.15.86",
"versionType": "semver"
},
{
"lessThan": "6.1.11",
"status": "affected",
"version": "6.1.2",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"versionStartIncluding": "4.14.303",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"versionStartIncluding": "4.19.270",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "5.4.229",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.10.163",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.15.86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.337",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: fix flow memory leak in ovs_flow_cmd_new\n\nSyzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it is\nnot freed when an allocation of a key fails.\n\nBUG: memory leak\nunreferenced object 0xffff888116668000 (size 632):\n comm \"syz-executor231\", pid 1090, jiffies 4294844701 (age 18.871s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003c00000000defa3494\u003e] kmem_cache_zalloc include/linux/slab.h:654 [inline]\n [\u003c00000000defa3494\u003e] ovs_flow_alloc+0x19/0x180 net/openvswitch/flow_table.c:77\n [\u003c00000000c67d8873\u003e] ovs_flow_cmd_new+0x1de/0xd40 net/openvswitch/datapath.c:957\n [\u003c0000000010a539a8\u003e] genl_family_rcv_msg_doit+0x22d/0x330 net/netlink/genetlink.c:739\n [\u003c00000000dff3302d\u003e] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n [\u003c00000000dff3302d\u003e] genl_rcv_msg+0x328/0x590 net/netlink/genetlink.c:800\n [\u003c000000000286dd87\u003e] netlink_rcv_skb+0x153/0x430 net/netlink/af_netlink.c:2515\n [\u003c0000000061fed410\u003e] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811\n [\u003c000000009dc0f111\u003e] netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n [\u003c000000009dc0f111\u003e] netlink_unicast+0x545/0x7f0 net/netlink/af_netlink.c:1339\n [\u003c000000004a5ee816\u003e] netlink_sendmsg+0x8e7/0xde0 net/netlink/af_netlink.c:1934\n [\u003c00000000482b476f\u003e] sock_sendmsg_nosec net/socket.c:651 [inline]\n [\u003c00000000482b476f\u003e] sock_sendmsg+0x152/0x190 net/socket.c:671\n [\u003c00000000698574ba\u003e] ____sys_sendmsg+0x70a/0x870 net/socket.c:2356\n [\u003c00000000d28d9e11\u003e] ___sys_sendmsg+0xf3/0x170 net/socket.c:2410\n [\u003c0000000083ba9120\u003e] __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439\n [\u003c00000000c00628f8\u003e] do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n [\u003c000000004abfdcf4\u003e] entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nTo fix this the patch rearranges the goto labels to reflect the order of\nobject allocations and adds appropriate goto statements on the error\npaths.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:58.492Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1ac653cf886cdfc082708c82dc6ac6115cebd2ee"
},
{
"url": "https://git.kernel.org/stable/c/af4e720bc00a2653f7b9df21755b9978b3d7f386"
},
{
"url": "https://git.kernel.org/stable/c/ed6c5e8caf55778500202775167e8ccdb1a030cb"
},
{
"url": "https://git.kernel.org/stable/c/70154489f531587996f3e9d7cceeee65cff0001d"
},
{
"url": "https://git.kernel.org/stable/c/f423c2efd51d7eb1d143c2be7eea233241d9bbbf"
},
{
"url": "https://git.kernel.org/stable/c/70d40674a549d498bd63d5432acf46205da1534b"
},
{
"url": "https://git.kernel.org/stable/c/0c598aed445eb45b0ee7ba405f7ece99ee349c30"
}
],
"title": "net: openvswitch: fix flow memory leak in ovs_flow_cmd_new",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52977",
"datePublished": "2025-03-27T16:43:17.234Z",
"dateReserved": "2025-03-27T16:40:15.738Z",
"dateUpdated": "2025-05-04T12:49:58.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53019 (GCVE-0-2023-53019)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: mdio: validate parameter addr in mdiobus_get_phy()
The caller may pass any value as addr, what may result in an out-of-bounds
access to array mdio_map. One existing case is stmmac_init_phy() that
may pass -1 as addr. Therefore validate addr before using it.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 Version: 7f854420fbfe9d49afe2ffb1df052cfe8e215541 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/mdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1d80c259dfbadefa61b7ea334dfce5cb57f8c72f",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "c431a3d642593bbdb99e8a9e3eed608b730db6f8",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "8a7b9560a3a8eb8724888c426e05926752f73aa0",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "4bc5f1f6bc94e695dfd912122af96e7115a0ddb8",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "ad67de330d83e8078372b52af18ffe8d39e26c85",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "7879626296e6ffd838ae0f2af1ab49ee46354973",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
},
{
"lessThan": "867dbe784c5010a466f00a7d1467c1c5ea569c75",
"status": "affected",
"version": "7f854420fbfe9d49afe2ffb1df052cfe8e215541",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/phy/mdio_bus.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.5"
},
{
"lessThan": "4.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "4.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mdio: validate parameter addr in mdiobus_get_phy()\n\nThe caller may pass any value as addr, what may result in an out-of-bounds\naccess to array mdio_map. One existing case is stmmac_init_phy() that\nmay pass -1 as addr. Therefore validate addr before using it."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:48.426Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1d80c259dfbadefa61b7ea334dfce5cb57f8c72f"
},
{
"url": "https://git.kernel.org/stable/c/c431a3d642593bbdb99e8a9e3eed608b730db6f8"
},
{
"url": "https://git.kernel.org/stable/c/8a7b9560a3a8eb8724888c426e05926752f73aa0"
},
{
"url": "https://git.kernel.org/stable/c/4bc5f1f6bc94e695dfd912122af96e7115a0ddb8"
},
{
"url": "https://git.kernel.org/stable/c/ad67de330d83e8078372b52af18ffe8d39e26c85"
},
{
"url": "https://git.kernel.org/stable/c/7879626296e6ffd838ae0f2af1ab49ee46354973"
},
{
"url": "https://git.kernel.org/stable/c/867dbe784c5010a466f00a7d1467c1c5ea569c75"
}
],
"title": "net: mdio: validate parameter addr in mdiobus_get_phy()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53019",
"datePublished": "2025-03-27T16:43:46.493Z",
"dateReserved": "2025-03-27T16:40:15.751Z",
"dateUpdated": "2025-05-04T07:47:48.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53020 (GCVE-0-2023-53020)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
l2tp: close all race conditions in l2tp_tunnel_register()
The code in l2tp_tunnel_register() is racy in several ways:
1. It modifies the tunnel socket _after_ publishing it.
2. It calls setup_udp_tunnel_sock() on an existing socket without
locking.
3. It changes sock lock class on fly, which triggers many syzbot
reports.
This patch amends all of them by moving socket initialization code
before publishing and under sock lock. As suggested by Jakub, the
l2tp lockdep class is not necessary as we can just switch to
bh_lock_sock_nested().
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2d77e5c0ad79004b5ef901895437e9cce6dfcc7e",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
},
{
"lessThan": "77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
},
{
"lessThan": "cef0845b6dcfa2f6c2c832e7f9622551456c741d",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
},
{
"lessThan": "0b2c59720e65885a394a017d0cf9cab118914682",
"status": "affected",
"version": "37159ef2c1ae1e696b24b260b241209a19f92c60",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/l2tp/l2tp_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: close all race conditions in l2tp_tunnel_register()\n\nThe code in l2tp_tunnel_register() is racy in several ways:\n\n1. It modifies the tunnel socket _after_ publishing it.\n\n2. It calls setup_udp_tunnel_sock() on an existing socket without\n locking.\n\n3. It changes sock lock class on fly, which triggers many syzbot\n reports.\n\nThis patch amends all of them by moving socket initialization code\nbefore publishing and under sock lock. As suggested by Jakub, the\nl2tp lockdep class is not necessary as we can just switch to\nbh_lock_sock_nested()."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:49.986Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2d77e5c0ad79004b5ef901895437e9cce6dfcc7e"
},
{
"url": "https://git.kernel.org/stable/c/77e8ed776cdb1a24b2aab8fe7c6f1f154235e1ce"
},
{
"url": "https://git.kernel.org/stable/c/cef0845b6dcfa2f6c2c832e7f9622551456c741d"
},
{
"url": "https://git.kernel.org/stable/c/0b2c59720e65885a394a017d0cf9cab118914682"
}
],
"title": "l2tp: close all race conditions in l2tp_tunnel_register()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53020",
"datePublished": "2025-03-27T16:43:47.151Z",
"dateReserved": "2025-03-27T16:40:15.752Z",
"dateUpdated": "2025-05-04T07:47:49.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53027 (GCVE-0-2023-53027)
Vulnerability from cvelistv5
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Show details on NVD website{
"containers": {
"cna": {
"providerMetadata": {
"dateUpdated": "2025-03-28T06:52:52.767Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"rejectedReasons": [
{
"lang": "en",
"value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53027",
"datePublished": "2025-03-27T16:43:56.906Z",
"dateRejected": "2025-03-28T06:52:52.767Z",
"dateReserved": "2025-03-27T16:40:15.756Z",
"dateUpdated": "2025-03-28T06:52:52.767Z",
"state": "REJECTED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52995 (GCVE-0-2023-52995)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
riscv/kprobe: Fix instruction simulation of JALR
Set kprobe at 'jalr 1140(ra)' of vfs_write results in the following
crash:
[ 32.092235] Unable to handle kernel access to user memory without uaccess routines at virtual address 00aaaaaad77b1170
[ 32.093115] Oops [#1]
[ 32.093251] Modules linked in:
[ 32.093626] CPU: 0 PID: 135 Comm: ftracetest Not tainted 6.2.0-rc2-00013-gb0aa5e5df0cb-dirty #16
[ 32.093985] Hardware name: riscv-virtio,qemu (DT)
[ 32.094280] epc : ksys_read+0x88/0xd6
[ 32.094855] ra : ksys_read+0xc0/0xd6
[ 32.095016] epc : ffffffff801cda80 ra : ffffffff801cdab8 sp : ff20000000d7bdc0
[ 32.095227] gp : ffffffff80f14000 tp : ff60000080f9cb40 t0 : ffffffff80f13e80
[ 32.095500] t1 : ffffffff8000c29c t2 : ffffffff800dbc54 s0 : ff20000000d7be60
[ 32.095716] s1 : 0000000000000000 a0 : ffffffff805a64ae a1 : ffffffff80a83708
[ 32.095921] a2 : ffffffff80f160a0 a3 : 0000000000000000 a4 : f229b0afdb165300
[ 32.096171] a5 : f229b0afdb165300 a6 : ffffffff80eeebd0 a7 : 00000000000003ff
[ 32.096411] s2 : ff6000007ff76800 s3 : fffffffffffffff7 s4 : 00aaaaaad77b1170
[ 32.096638] s5 : ffffffff80f160a0 s6 : ff6000007ff76800 s7 : 0000000000000030
[ 32.096865] s8 : 00ffffffc3d97be0 s9 : 0000000000000007 s10: 00aaaaaad77c9410
[ 32.097092] s11: 0000000000000000 t3 : ffffffff80f13e48 t4 : ffffffff8000c29c
[ 32.097317] t5 : ffffffff8000c29c t6 : ffffffff800dbc54
[ 32.097505] status: 0000000200000120 badaddr: 00aaaaaad77b1170 cause: 000000000000000d
[ 32.098011] [<ffffffff801cdb72>] ksys_write+0x6c/0xd6
[ 32.098222] [<ffffffff801cdc06>] sys_write+0x2a/0x38
[ 32.098405] [<ffffffff80003c76>] ret_from_syscall+0x0/0x2
Since the rs1 and rd might be the same one, such as 'jalr 1140(ra)',
hence it requires obtaining the target address from rs1 followed by
updating rd.
[Palmer: Pick Guo's cleanup]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/probes/simulate-insn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "614471b7f7cd28a2c96ab9c90b37471c82258ffb",
"status": "affected",
"version": "c22b0bcb1dd024cb9caad9230e3a387d8b061df5",
"versionType": "git"
},
{
"lessThan": "f4c8fc775fcbc9e9047b22671c55ca18f9a127d4",
"status": "affected",
"version": "c22b0bcb1dd024cb9caad9230e3a387d8b061df5",
"versionType": "git"
},
{
"lessThan": "ca0254998be4d74cf6add70ccfab0d2dbd362a10",
"status": "affected",
"version": "c22b0bcb1dd024cb9caad9230e3a387d8b061df5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/riscv/kernel/probes/simulate-insn.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/kprobe: Fix instruction simulation of JALR\n\nSet kprobe at \u0027jalr 1140(ra)\u0027 of vfs_write results in the following\ncrash:\n\n[ 32.092235] Unable to handle kernel access to user memory without uaccess routines at virtual address 00aaaaaad77b1170\n[ 32.093115] Oops [#1]\n[ 32.093251] Modules linked in:\n[ 32.093626] CPU: 0 PID: 135 Comm: ftracetest Not tainted 6.2.0-rc2-00013-gb0aa5e5df0cb-dirty #16\n[ 32.093985] Hardware name: riscv-virtio,qemu (DT)\n[ 32.094280] epc : ksys_read+0x88/0xd6\n[ 32.094855] ra : ksys_read+0xc0/0xd6\n[ 32.095016] epc : ffffffff801cda80 ra : ffffffff801cdab8 sp : ff20000000d7bdc0\n[ 32.095227] gp : ffffffff80f14000 tp : ff60000080f9cb40 t0 : ffffffff80f13e80\n[ 32.095500] t1 : ffffffff8000c29c t2 : ffffffff800dbc54 s0 : ff20000000d7be60\n[ 32.095716] s1 : 0000000000000000 a0 : ffffffff805a64ae a1 : ffffffff80a83708\n[ 32.095921] a2 : ffffffff80f160a0 a3 : 0000000000000000 a4 : f229b0afdb165300\n[ 32.096171] a5 : f229b0afdb165300 a6 : ffffffff80eeebd0 a7 : 00000000000003ff\n[ 32.096411] s2 : ff6000007ff76800 s3 : fffffffffffffff7 s4 : 00aaaaaad77b1170\n[ 32.096638] s5 : ffffffff80f160a0 s6 : ff6000007ff76800 s7 : 0000000000000030\n[ 32.096865] s8 : 00ffffffc3d97be0 s9 : 0000000000000007 s10: 00aaaaaad77c9410\n[ 32.097092] s11: 0000000000000000 t3 : ffffffff80f13e48 t4 : ffffffff8000c29c\n[ 32.097317] t5 : ffffffff8000c29c t6 : ffffffff800dbc54\n[ 32.097505] status: 0000000200000120 badaddr: 00aaaaaad77b1170 cause: 000000000000000d\n[ 32.098011] [\u003cffffffff801cdb72\u003e] ksys_write+0x6c/0xd6\n[ 32.098222] [\u003cffffffff801cdc06\u003e] sys_write+0x2a/0x38\n[ 32.098405] [\u003cffffffff80003c76\u003e] ret_from_syscall+0x0/0x2\n\nSince the rs1 and rd might be the same one, such as \u0027jalr 1140(ra)\u0027,\nhence it requires obtaining the target address from rs1 followed by\nupdating rd.\n\n[Palmer: Pick Guo\u0027s cleanup]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:07.541Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/614471b7f7cd28a2c96ab9c90b37471c82258ffb"
},
{
"url": "https://git.kernel.org/stable/c/f4c8fc775fcbc9e9047b22671c55ca18f9a127d4"
},
{
"url": "https://git.kernel.org/stable/c/ca0254998be4d74cf6add70ccfab0d2dbd362a10"
}
],
"title": "riscv/kprobe: Fix instruction simulation of JALR",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52995",
"datePublished": "2025-03-27T16:43:29.853Z",
"dateReserved": "2025-03-27T16:40:15.742Z",
"dateUpdated": "2025-05-04T07:47:07.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49757 (GCVE-0-2022-49757)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
EDAC/highbank: Fix memory leak in highbank_mc_probe()
When devres_open_group() fails, it returns -ENOMEM without freeing memory
allocated by edac_mc_alloc().
Call edac_mc_free() on the error handling path to avoid a memory leak.
[ bp: Massage commit message. ]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: a1b01edb274518c7da6d69b84e7558c092282aad Version: a1b01edb274518c7da6d69b84e7558c092282aad Version: a1b01edb274518c7da6d69b84e7558c092282aad Version: a1b01edb274518c7da6d69b84e7558c092282aad Version: a1b01edb274518c7da6d69b84e7558c092282aad Version: a1b01edb274518c7da6d69b84e7558c092282aad Version: a1b01edb274518c7da6d69b84e7558c092282aad |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/edac/highbank_mc_edac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "f1b3e23ed8df87d779ee86ac37f379e79a24169a",
"status": "affected",
"version": "a1b01edb274518c7da6d69b84e7558c092282aad",
"versionType": "git"
},
{
"lessThan": "0db40e23b56d217eebd385bebb64057ef764b2c7",
"status": "affected",
"version": "a1b01edb274518c7da6d69b84e7558c092282aad",
"versionType": "git"
},
{
"lessThan": "8d23f5d25264beb223ee79cdb530b88c237719fc",
"status": "affected",
"version": "a1b01edb274518c7da6d69b84e7558c092282aad",
"versionType": "git"
},
{
"lessThan": "329fbd260352a7b9a83781d8b8bd96f95844a51f",
"status": "affected",
"version": "a1b01edb274518c7da6d69b84e7558c092282aad",
"versionType": "git"
},
{
"lessThan": "caffa7fed1397d1395052272c93900176de86557",
"status": "affected",
"version": "a1b01edb274518c7da6d69b84e7558c092282aad",
"versionType": "git"
},
{
"lessThan": "b7863ef8a8f0fee96b4eb41211f4918c0e047253",
"status": "affected",
"version": "a1b01edb274518c7da6d69b84e7558c092282aad",
"versionType": "git"
},
{
"lessThan": "e7a293658c20a7945014570e1921bf7d25d68a36",
"status": "affected",
"version": "a1b01edb274518c7da6d69b84e7558c092282aad",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/edac/highbank_mc_edac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.6"
},
{
"lessThan": "3.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "3.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/highbank: Fix memory leak in highbank_mc_probe()\n\nWhen devres_open_group() fails, it returns -ENOMEM without freeing memory\nallocated by edac_mc_alloc().\n\nCall edac_mc_free() on the error handling path to avoid a memory leak.\n\n [ bp: Massage commit message. ]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:44.734Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/f1b3e23ed8df87d779ee86ac37f379e79a24169a"
},
{
"url": "https://git.kernel.org/stable/c/0db40e23b56d217eebd385bebb64057ef764b2c7"
},
{
"url": "https://git.kernel.org/stable/c/8d23f5d25264beb223ee79cdb530b88c237719fc"
},
{
"url": "https://git.kernel.org/stable/c/329fbd260352a7b9a83781d8b8bd96f95844a51f"
},
{
"url": "https://git.kernel.org/stable/c/caffa7fed1397d1395052272c93900176de86557"
},
{
"url": "https://git.kernel.org/stable/c/b7863ef8a8f0fee96b4eb41211f4918c0e047253"
},
{
"url": "https://git.kernel.org/stable/c/e7a293658c20a7945014570e1921bf7d25d68a36"
}
],
"title": "EDAC/highbank: Fix memory leak in highbank_mc_probe()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49757",
"datePublished": "2025-03-27T16:43:04.787Z",
"dateReserved": "2025-03-27T16:39:17.989Z",
"dateUpdated": "2025-05-04T08:44:44.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52933 (GCVE-0-2023-52933)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 12:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: fix handling and sanity checking of xattr_ids count
A Sysbot [1] corrupted filesystem exposes two flaws in the handling and
sanity checking of the xattr_ids count in the filesystem. Both of these
flaws cause computation overflow due to incorrect typing.
In the corrupted filesystem the xattr_ids value is 4294967071, which
stored in a signed variable becomes the negative number -225.
Flaw 1 (64-bit systems only):
The signed integer xattr_ids variable causes sign extension.
This causes variable overflow in the SQUASHFS_XATTR_*(A) macros. The
variable is first multiplied by sizeof(struct squashfs_xattr_id) where the
type of the sizeof operator is "unsigned long".
On a 64-bit system this is 64-bits in size, and causes the negative number
to be sign extended and widened to 64-bits and then become unsigned. This
produces the very large number 18446744073709548016 or 2^64 - 3600. This
number when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and
divided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0
(stored in len).
Flaw 2 (32-bit systems only):
On a 32-bit system the integer variable is not widened by the unsigned
long type of the sizeof operator (32-bits), and the signedness of the
variable has no effect due it always being treated as unsigned.
The above corrupted xattr_ids value of 4294967071, when multiplied
overflows and produces the number 4294963696 or 2^32 - 3400. This number
when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by
SQUASHFS_METADATA_SIZE overflows again and produces a length of 0.
The effect of the 0 length computation:
In conjunction with the corrupted xattr_ids field, the filesystem also has
a corrupted xattr_table_start value, where it matches the end of
filesystem value of 850.
This causes the following sanity check code to fail because the
incorrectly computed len of 0 matches the incorrect size of the table
reported by the superblock (0 bytes).
len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);
indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids);
/*
* The computed size of the index table (len bytes) should exactly
* match the table start and end points
*/
start = table_start + sizeof(*id_table);
end = msblk->bytes_used;
if (len != (end - start))
return ERR_PTR(-EINVAL);
Changing the xattr_ids variable to be "usigned int" fixes the flaw on a
64-bit system. This relies on the fact the computation is widened by the
unsigned long type of the sizeof operator.
Casting the variable to u64 in the above macro fixes this flaw on a 32-bit
system.
It also means 64-bit systems do not implicitly rely on the type of the
sizeof operator to widen the computation.
[1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: ff49cace7b8cf00d27665f7536a863d406963d06 Version: a8717b34003f4f7353b23826617ad872f85d85d8 Version: 3654a0ed0bdc6d70502bfc7c9fec9f1e243dfcad Version: bddcce15cd1fb9675ddd46a76d8fe2d0a571313b Version: 506220d2ba21791314af569211ffd8870b8208fa Version: 506220d2ba21791314af569211ffd8870b8208fa Version: 506220d2ba21791314af569211ffd8870b8208fa Version: 91d4f4d0d7bcd6abd9f9288ff40f4edc716f3d4b Version: eca93bf20f70e0f78c8c28720951942f61a49117 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/squashfs/squashfs_fs.h",
"fs/squashfs/squashfs_fs_sb.h",
"fs/squashfs/xattr.h",
"fs/squashfs/xattr_id.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7fe583c9bec10cd4b76231c51b37f3e4ca646e01",
"status": "affected",
"version": "ff49cace7b8cf00d27665f7536a863d406963d06",
"versionType": "git"
},
{
"lessThan": "b38c3e9e0adc01956cc3e5a52e4d3f92f79d88e2",
"status": "affected",
"version": "a8717b34003f4f7353b23826617ad872f85d85d8",
"versionType": "git"
},
{
"lessThan": "1369322c1de52c7b9b988b95c9903110a4566778",
"status": "affected",
"version": "3654a0ed0bdc6d70502bfc7c9fec9f1e243dfcad",
"versionType": "git"
},
{
"lessThan": "5c4d4a83bf1a862d80c1efff1c6e3ce33b501e2e",
"status": "affected",
"version": "bddcce15cd1fb9675ddd46a76d8fe2d0a571313b",
"versionType": "git"
},
{
"lessThan": "997bed0f3cde78a3e639d624985bf4a95cf767e6",
"status": "affected",
"version": "506220d2ba21791314af569211ffd8870b8208fa",
"versionType": "git"
},
{
"lessThan": "a7da7d01ac5ce9b369a1ac70e1197999cc6c9686",
"status": "affected",
"version": "506220d2ba21791314af569211ffd8870b8208fa",
"versionType": "git"
},
{
"lessThan": "f65c4bbbd682b0877b669828b4e033b8d5d0a2dc",
"status": "affected",
"version": "506220d2ba21791314af569211ffd8870b8208fa",
"versionType": "git"
},
{
"status": "affected",
"version": "91d4f4d0d7bcd6abd9f9288ff40f4edc716f3d4b",
"versionType": "git"
},
{
"status": "affected",
"version": "eca93bf20f70e0f78c8c28720951942f61a49117",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/squashfs/squashfs_fs.h",
"fs/squashfs/squashfs_fs_sb.h",
"fs/squashfs/xattr.h",
"fs/squashfs/xattr_id.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.11"
},
{
"lessThan": "5.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"versionStartIncluding": "4.14.222",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"versionStartIncluding": "4.19.176",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"versionStartIncluding": "5.4.98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"versionStartIncluding": "5.10.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.258",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.258",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: fix handling and sanity checking of xattr_ids count\n\nA Sysbot [1] corrupted filesystem exposes two flaws in the handling and\nsanity checking of the xattr_ids count in the filesystem. Both of these\nflaws cause computation overflow due to incorrect typing.\n\nIn the corrupted filesystem the xattr_ids value is 4294967071, which\nstored in a signed variable becomes the negative number -225.\n\nFlaw 1 (64-bit systems only):\n\nThe signed integer xattr_ids variable causes sign extension.\n\nThis causes variable overflow in the SQUASHFS_XATTR_*(A) macros. The\nvariable is first multiplied by sizeof(struct squashfs_xattr_id) where the\ntype of the sizeof operator is \"unsigned long\".\n\nOn a 64-bit system this is 64-bits in size, and causes the negative number\nto be sign extended and widened to 64-bits and then become unsigned. This\nproduces the very large number 18446744073709548016 or 2^64 - 3600. This\nnumber when rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and\ndivided by SQUASHFS_METADATA_SIZE overflows and produces a length of 0\n(stored in len).\n\nFlaw 2 (32-bit systems only):\n\nOn a 32-bit system the integer variable is not widened by the unsigned\nlong type of the sizeof operator (32-bits), and the signedness of the\nvariable has no effect due it always being treated as unsigned.\n\nThe above corrupted xattr_ids value of 4294967071, when multiplied\noverflows and produces the number 4294963696 or 2^32 - 3400. This number\nwhen rounded up by SQUASHFS_METADATA_SIZE - 1 (8191 bytes) and divided by\nSQUASHFS_METADATA_SIZE overflows again and produces a length of 0.\n\nThe effect of the 0 length computation:\n\nIn conjunction with the corrupted xattr_ids field, the filesystem also has\na corrupted xattr_table_start value, where it matches the end of\nfilesystem value of 850.\n\nThis causes the following sanity check code to fail because the\nincorrectly computed len of 0 matches the incorrect size of the table\nreported by the superblock (0 bytes).\n\n len = SQUASHFS_XATTR_BLOCK_BYTES(*xattr_ids);\n indexes = SQUASHFS_XATTR_BLOCKS(*xattr_ids);\n\n /*\n * The computed size of the index table (len bytes) should exactly\n * match the table start and end points\n */\n start = table_start + sizeof(*id_table);\n end = msblk-\u003ebytes_used;\n\n if (len != (end - start))\n return ERR_PTR(-EINVAL);\n\nChanging the xattr_ids variable to be \"usigned int\" fixes the flaw on a\n64-bit system. This relies on the fact the computation is widened by the\nunsigned long type of the sizeof operator.\n\nCasting the variable to u64 in the above macro fixes this flaw on a 32-bit\nsystem.\n\nIt also means 64-bit systems do not implicitly rely on the type of the\nsizeof operator to widen the computation.\n\n[1] https://lore.kernel.org/lkml/000000000000cd44f005f1a0f17f@google.com/"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:49:53.516Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7fe583c9bec10cd4b76231c51b37f3e4ca646e01"
},
{
"url": "https://git.kernel.org/stable/c/b38c3e9e0adc01956cc3e5a52e4d3f92f79d88e2"
},
{
"url": "https://git.kernel.org/stable/c/1369322c1de52c7b9b988b95c9903110a4566778"
},
{
"url": "https://git.kernel.org/stable/c/5c4d4a83bf1a862d80c1efff1c6e3ce33b501e2e"
},
{
"url": "https://git.kernel.org/stable/c/997bed0f3cde78a3e639d624985bf4a95cf767e6"
},
{
"url": "https://git.kernel.org/stable/c/a7da7d01ac5ce9b369a1ac70e1197999cc6c9686"
},
{
"url": "https://git.kernel.org/stable/c/f65c4bbbd682b0877b669828b4e033b8d5d0a2dc"
}
],
"title": "Squashfs: fix handling and sanity checking of xattr_ids count",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52933",
"datePublished": "2025-03-27T16:37:14.230Z",
"dateReserved": "2024-08-21T06:07:11.020Z",
"dateUpdated": "2025-05-04T12:49:53.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52974 (GCVE-0-2023-52974)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress
If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,
userspace could be accessing the host's ipaddress attr. If we then free the
session via iscsi_session_teardown() while userspace is still accessing the
session we will hit a use after free bug.
Set the tcp_sw_host->session after we have completed session creation and
can no longer fail.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52974",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:59:50.791219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:22.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "496af9d3682ed4c28fb734342a09e6cc0c056ea4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6abd4698f4c8a78e7bbfc421205c060c199554a0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "d4d765f4761f9e3a2d62992f825aeee593bcb6b9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "9758ffe1c07b86aefd7ca8e40d9a461293427ca0",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0aaabdb900c7415caa2006ef580322f7eac5f6b6",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "61e43ebfd243bcbad11be26bd921723027b77441",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/scsi/iscsi_tcp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.306",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.273",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.232",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.93",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.306",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.273",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.232",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress\n\nIf during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails,\nuserspace could be accessing the host\u0027s ipaddress attr. If we then free the\nsession via iscsi_session_teardown() while userspace is still accessing the\nsession we will hit a use after free bug.\n\nSet the tcp_sw_host-\u003esession after we have completed session creation and\ncan no longer fail."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:36.953Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/496af9d3682ed4c28fb734342a09e6cc0c056ea4"
},
{
"url": "https://git.kernel.org/stable/c/6abd4698f4c8a78e7bbfc421205c060c199554a0"
},
{
"url": "https://git.kernel.org/stable/c/d4d765f4761f9e3a2d62992f825aeee593bcb6b9"
},
{
"url": "https://git.kernel.org/stable/c/9758ffe1c07b86aefd7ca8e40d9a461293427ca0"
},
{
"url": "https://git.kernel.org/stable/c/0aaabdb900c7415caa2006ef580322f7eac5f6b6"
},
{
"url": "https://git.kernel.org/stable/c/61e43ebfd243bcbad11be26bd921723027b77441"
},
{
"url": "https://git.kernel.org/stable/c/f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3"
}
],
"title": "scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52974",
"datePublished": "2025-03-27T16:43:13.792Z",
"dateReserved": "2025-03-27T16:40:15.737Z",
"dateUpdated": "2025-05-04T07:46:36.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58091 (GCVE-0-2024-58091)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-07-06 09:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/fbdev-dma: Add shadow buffering for deferred I/O
DMA areas are not necessarily backed by struct page, so we cannot
rely on it for deferred I/O. Allocate a shadow buffer for drivers
that require deferred I/O and use it as framebuffer memory.
Fixes driver errors about being "Unable to handle kernel NULL pointer
dereference at virtual address" or "Unable to handle kernel paging
request at virtual address".
The patch splits drm_fbdev_dma_driver_fbdev_probe() in an initial
allocation, which creates the DMA-backed buffer object, and a tail
that sets up the fbdev data structures. There is a tail function for
direct memory mappings and a tail function for deferred I/O with
the shadow buffer.
It is no longer possible to use deferred I/O without shadow buffer.
It can be re-added if there exists a reliably test for usable struct
page in the allocated DMA-backed buffer object.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_fbdev_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0d087de947babf7ed70029d042abcc6ed06ff415",
"status": "affected",
"version": "5ab91447aa13b8b98bc11f5326f33500b0ee2c48",
"versionType": "git"
},
{
"lessThan": "cdc581169942de3b9e2648cfbd98c5ff9111c2c8",
"status": "affected",
"version": "5ab91447aa13b8b98bc11f5326f33500b0ee2c48",
"versionType": "git"
},
{
"lessThan": "3603996432997f7c88da37a97062a46cda01ac9d",
"status": "affected",
"version": "5ab91447aa13b8b98bc11f5326f33500b0ee2c48",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_fbdev_dma.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.11"
},
{
"lessThan": "6.11",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.36",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.36",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fbdev-dma: Add shadow buffering for deferred I/O\n\nDMA areas are not necessarily backed by struct page, so we cannot\nrely on it for deferred I/O. Allocate a shadow buffer for drivers\nthat require deferred I/O and use it as framebuffer memory.\n\nFixes driver errors about being \"Unable to handle kernel NULL pointer\ndereference at virtual address\" or \"Unable to handle kernel paging\nrequest at virtual address\".\n\nThe patch splits drm_fbdev_dma_driver_fbdev_probe() in an initial\nallocation, which creates the DMA-backed buffer object, and a tail\nthat sets up the fbdev data structures. There is a tail function for\ndirect memory mappings and a tail function for deferred I/O with\nthe shadow buffer.\n\nIt is no longer possible to use deferred I/O without shadow buffer.\nIt can be re-added if there exists a reliably test for usable struct\npage in the allocated DMA-backed buffer object."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-06T09:08:48.847Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0d087de947babf7ed70029d042abcc6ed06ff415"
},
{
"url": "https://git.kernel.org/stable/c/cdc581169942de3b9e2648cfbd98c5ff9111c2c8"
},
{
"url": "https://git.kernel.org/stable/c/3603996432997f7c88da37a97062a46cda01ac9d"
}
],
"title": "drm/fbdev-dma: Add shadow buffering for deferred I/O",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2024-58091",
"datePublished": "2025-03-27T14:57:03.560Z",
"dateReserved": "2025-03-06T15:52:09.188Z",
"dateUpdated": "2025-07-06T09:08:48.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52929 (GCVE-0-2023-52929)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
nvmem: core: fix cleanup after dev_set_name()
If dev_set_name() fails, we leak nvmem->wp_gpio as the cleanup does not
put this. While a minimal fix for this would be to add the gpiod_put()
call, we can do better if we split device_register(), and use the
tested nvmem_release() cleanup code by initialising the device early,
and putting the device.
This results in a slightly larger fix, but results in clear code.
Note: this patch depends on "nvmem: core: initialise nvmem->id early"
and "nvmem: core: remove nvmem_config wp_gpio".
[Srini: Fixed subject line and error code handing with wp_gpio while applying.]
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/nvmem/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "23676ecd2eb377f7c24a6ff578b0f4c7135658b6",
"status": "affected",
"version": "a19a0f67dbb89ad2bfc466f2003841acba645884",
"versionType": "git"
},
{
"lessThan": "8f9c4b2a3b132bf6698e477aba6ee194b40c75f4",
"status": "affected",
"version": "14eea6449473c1f55e196cc104ba16d144465869",
"versionType": "git"
},
{
"lessThan": "39708bc8da7858de0bed9b3a88b3beb1d1e0b443",
"status": "affected",
"version": "5544e90c81261e82e02bbf7c6015a4b9c8c825ef",
"versionType": "git"
},
{
"lessThan": "560181d3ace61825f4ca9dd3481d6c0ee6709fa8",
"status": "affected",
"version": "5544e90c81261e82e02bbf7c6015a4b9c8c825ef",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/nvmem/core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmem: core: fix cleanup after dev_set_name()\n\nIf dev_set_name() fails, we leak nvmem-\u003ewp_gpio as the cleanup does not\nput this. While a minimal fix for this would be to add the gpiod_put()\ncall, we can do better if we split device_register(), and use the\ntested nvmem_release() cleanup code by initialising the device early,\nand putting the device.\n\nThis results in a slightly larger fix, but results in clear code.\n\nNote: this patch depends on \"nvmem: core: initialise nvmem-\u003eid early\"\nand \"nvmem: core: remove nvmem_config wp_gpio\".\n\n[Srini: Fixed subject line and error code handing with wp_gpio while applying.]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:12.575Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/23676ecd2eb377f7c24a6ff578b0f4c7135658b6"
},
{
"url": "https://git.kernel.org/stable/c/8f9c4b2a3b132bf6698e477aba6ee194b40c75f4"
},
{
"url": "https://git.kernel.org/stable/c/39708bc8da7858de0bed9b3a88b3beb1d1e0b443"
},
{
"url": "https://git.kernel.org/stable/c/560181d3ace61825f4ca9dd3481d6c0ee6709fa8"
}
],
"title": "nvmem: core: fix cleanup after dev_set_name()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52929",
"datePublished": "2025-03-27T16:37:11.396Z",
"dateReserved": "2024-08-21T06:07:11.018Z",
"dateUpdated": "2025-05-04T07:46:12.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52993 (GCVE-0-2023-52993)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL
Baoquan reported that after triggering a crash the subsequent crash-kernel
fails to boot about half of the time. It triggers a NULL pointer
dereference in the periodic tick code.
This happens because the legacy timer interrupt (IRQ0) is resent in
software which happens in soft interrupt (tasklet) context. In this context
get_irq_regs() returns NULL which leads to the NULL pointer dereference.
The reason for the resend is a spurious APIC interrupt on the IRQ0 vector
which is captured and leads to a resend when the legacy timer interrupt is
enabled. This is wrong because the legacy PIC interrupts are level
triggered and therefore should never be resent in software, but nothing
ever sets the IRQ_LEVEL flag on those interrupts, so the core code does not
know about their trigger type.
Ensure that IRQ_LEVEL is set when the legacy PCI interrupts are set up.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 Version: a4633adcdbc15ac51afcd0e1395de58cee27cf92 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/i8259.c",
"arch/x86/kernel/irqinit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "744fe9be9665227335539b7a77ece8d9ff62b6c0",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "496975d1a2937f4baadf3d985991b13fc4fc4f27",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "8770cd9d7c14aa99c255a0d08186f0be953e1638",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "e284c273dbb4c1ed68d4204bff94d0b10e4a90f5",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "0b08201158f177aab469e356b4d6af24fdd118df",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "137f1b47da5f58805da42c1b7811e28c1e353f39",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
},
{
"lessThan": "5fa55950729d0762a787451dc52862c3f850f859",
"status": "affected",
"version": "a4633adcdbc15ac51afcd0e1395de58cee27cf92",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kernel/i8259.c",
"arch/x86/kernel/irqinit.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.18"
},
{
"lessThan": "2.6.18",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.305",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.305",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "2.6.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "2.6.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL\n\nBaoquan reported that after triggering a crash the subsequent crash-kernel\nfails to boot about half of the time. It triggers a NULL pointer\ndereference in the periodic tick code.\n\nThis happens because the legacy timer interrupt (IRQ0) is resent in\nsoftware which happens in soft interrupt (tasklet) context. In this context\nget_irq_regs() returns NULL which leads to the NULL pointer dereference.\n\nThe reason for the resend is a spurious APIC interrupt on the IRQ0 vector\nwhich is captured and leads to a resend when the legacy timer interrupt is\nenabled. This is wrong because the legacy PIC interrupts are level\ntriggered and therefore should never be resent in software, but nothing\never sets the IRQ_LEVEL flag on those interrupts, so the core code does not\nknow about their trigger type.\n\nEnsure that IRQ_LEVEL is set when the legacy PCI interrupts are set up."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:05.179Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/744fe9be9665227335539b7a77ece8d9ff62b6c0"
},
{
"url": "https://git.kernel.org/stable/c/496975d1a2937f4baadf3d985991b13fc4fc4f27"
},
{
"url": "https://git.kernel.org/stable/c/8770cd9d7c14aa99c255a0d08186f0be953e1638"
},
{
"url": "https://git.kernel.org/stable/c/e284c273dbb4c1ed68d4204bff94d0b10e4a90f5"
},
{
"url": "https://git.kernel.org/stable/c/0b08201158f177aab469e356b4d6af24fdd118df"
},
{
"url": "https://git.kernel.org/stable/c/137f1b47da5f58805da42c1b7811e28c1e353f39"
},
{
"url": "https://git.kernel.org/stable/c/5fa55950729d0762a787451dc52862c3f850f859"
}
],
"title": "x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52993",
"datePublished": "2025-03-27T16:43:28.263Z",
"dateReserved": "2025-03-27T16:40:15.742Z",
"dateUpdated": "2025-05-04T07:47:05.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21888 (GCVE-0-2025-21888)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/mlx5: Fix a WARN during dereg_mr for DM type
Memory regions (MR) of type DM (device memory) do not have an associated
umem.
In the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code
incorrectly takes the wrong branch, attempting to call
dma_unmap_single() on a DMA address that is not mapped.
This results in a WARN [1], as shown below.
The issue is resolved by properly accounting for the DM type and
ensuring the correct branch is selected in mlx5_free_priv_descs().
[1]
WARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90
Modules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core
CPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:iommu_dma_unmap_page+0x79/0x90
Code: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00
RSP: 0018:ffffc90001913a10 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __warn+0x84/0x190
? iommu_dma_unmap_page+0x79/0x90
? report_bug+0xf8/0x1c0
? handle_bug+0x55/0x90
? exc_invalid_op+0x13/0x60
? asm_exc_invalid_op+0x16/0x20
? iommu_dma_unmap_page+0x79/0x90
dma_unmap_page_attrs+0xe6/0x290
mlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib]
__mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib]
? _raw_spin_unlock_irq+0x24/0x40
? wait_for_completion+0xfe/0x130
? rdma_restrack_put+0x63/0xe0 [ib_core]
ib_dereg_mr_user+0x5f/0x120 [ib_core]
? lock_release+0xc6/0x280
destroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]
uverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]
uobj_destroy+0x3f/0x70 [ib_uverbs]
ib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]
? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]
? lock_acquire+0xc1/0x2f0
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]
? lock_release+0xc6/0x280
ib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]
? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]
__x64_sys_ioctl+0x1b0/0xa70
do_syscall_64+0x6b/0x140
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f537adaf17b
Code: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b
RDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003
RBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270
R10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190
R13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450
</TASK>
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0bd34bdd468e93a779c403de3cf7d43ee633b3e0",
"status": "affected",
"version": "f18ec422311767738ef4033b61e91cae07163b22",
"versionType": "git"
},
{
"lessThan": "f1298cad47ae29828c5c5be77e733ccfcaef6a7f",
"status": "affected",
"version": "f18ec422311767738ef4033b61e91cae07163b22",
"versionType": "git"
},
{
"lessThan": "abc7b3f1f056d69a8f11d6dceecc0c9549ace770",
"status": "affected",
"version": "f18ec422311767738ef4033b61e91cae07163b22",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/mlx5/mr.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix a WARN during dereg_mr for DM type\n\nMemory regions (MR) of type DM (device memory) do not have an associated\numem.\n\nIn the __mlx5_ib_dereg_mr() -\u003e mlx5_free_priv_descs() flow, the code\nincorrectly takes the wrong branch, attempting to call\ndma_unmap_single() on a DMA address that is not mapped.\n\nThis results in a WARN [1], as shown below.\n\nThe issue is resolved by properly accounting for the DM type and\nensuring the correct branch is selected in mlx5_free_priv_descs().\n\n[1]\nWARNING: CPU: 12 PID: 1346 at drivers/iommu/dma-iommu.c:1230 iommu_dma_unmap_page+0x79/0x90\nModules linked in: ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry ovelay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core fuse mlx5_core\nCPU: 12 UID: 0 PID: 1346 Comm: ibv_rc_pingpong Not tainted 6.12.0-rc7+ #1631\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:iommu_dma_unmap_page+0x79/0x90\nCode: 2b 49 3b 29 72 26 49 3b 69 08 73 20 4d 89 f0 44 89 e9 4c 89 e2 48 89 ee 48 89 df 5b 5d 41 5c 41 5d 41 5e 41 5f e9 07 b8 88 ff \u003c0f\u003e 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 66 0f 1f 44 00\nRSP: 0018:ffffc90001913a10 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88810194b0a8 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001\nRBP: ffff88810194b0a8 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000\nR13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000\nFS: 00007f537abdd740(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f537aeb8000 CR3: 000000010c248001 CR4: 0000000000372eb0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\n? __warn+0x84/0x190\n? iommu_dma_unmap_page+0x79/0x90\n? report_bug+0xf8/0x1c0\n? handle_bug+0x55/0x90\n? exc_invalid_op+0x13/0x60\n? asm_exc_invalid_op+0x16/0x20\n? iommu_dma_unmap_page+0x79/0x90\ndma_unmap_page_attrs+0xe6/0x290\nmlx5_free_priv_descs+0xb0/0xe0 [mlx5_ib]\n__mlx5_ib_dereg_mr+0x37e/0x520 [mlx5_ib]\n? _raw_spin_unlock_irq+0x24/0x40\n? wait_for_completion+0xfe/0x130\n? rdma_restrack_put+0x63/0xe0 [ib_core]\nib_dereg_mr_user+0x5f/0x120 [ib_core]\n? lock_release+0xc6/0x280\ndestroy_hw_idr_uobject+0x1d/0x60 [ib_uverbs]\nuverbs_destroy_uobject+0x58/0x1d0 [ib_uverbs]\nuobj_destroy+0x3f/0x70 [ib_uverbs]\nib_uverbs_cmd_verbs+0x3e4/0xbb0 [ib_uverbs]\n? __pfx_uverbs_destroy_def_handler+0x10/0x10 [ib_uverbs]\n? lock_acquire+0xc1/0x2f0\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0x116/0x170 [ib_uverbs]\n? lock_release+0xc6/0x280\nib_uverbs_ioctl+0xe7/0x170 [ib_uverbs]\n? ib_uverbs_ioctl+0xcb/0x170 [ib_uverbs]\n__x64_sys_ioctl+0x1b0/0xa70\ndo_syscall_64+0x6b/0x140\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f537adaf17b\nCode: 0f 1e fa 48 8b 05 1d ad 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d ed ac 0c 00 f7 d8 64 89 01 48\nRSP: 002b:00007ffff218f0b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007ffff218f1d8 RCX: 00007f537adaf17b\nRDX: 00007ffff218f1c0 RSI: 00000000c0181b01 RDI: 0000000000000003\nRBP: 00007ffff218f1a0 R08: 00007f537aa8d010 R09: 0000561ee2e4f270\nR10: 00007f537aace3a8 R11: 0000000000000246 R12: 00007ffff218f190\nR13: 000000000000001c R14: 0000561ee2e4d7c0 R15: 00007ffff218f450\n\u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:23.287Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0bd34bdd468e93a779c403de3cf7d43ee633b3e0"
},
{
"url": "https://git.kernel.org/stable/c/f1298cad47ae29828c5c5be77e733ccfcaef6a7f"
},
{
"url": "https://git.kernel.org/stable/c/abc7b3f1f056d69a8f11d6dceecc0c9549ace770"
}
],
"title": "RDMA/mlx5: Fix a WARN during dereg_mr for DM type",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21888",
"datePublished": "2025-03-27T14:57:15.141Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:23.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21871 (GCVE-0-2025-21871)
Vulnerability from cvelistv5
Published
2025-03-27 13:38
Modified
2025-05-04 07:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tee: optee: Fix supplicant wait loop
OP-TEE supplicant is a user-space daemon and it's possible for it
be hung or crashed or killed in the middle of processing an OP-TEE
RPC call. It becomes more complicated when there is incorrect shutdown
ordering of the supplicant process vs the OP-TEE client application which
can eventually lead to system hang-up waiting for the closure of the
client application.
Allow the client process waiting in kernel for supplicant response to
be killed rather than indefinitely waiting in an unkillable state. Also,
a normal uninterruptible wait should not have resulted in the hung-task
watchdog getting triggered, but the endless loop would.
This fixes issues observed during system reboot/shutdown when supplicant
got hung for some reason or gets crashed/killed which lead to client
getting hung in an unkillable state. It in turn lead to system being in
hung up state requiring hard power off/on to recover.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 Version: 4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/tee/optee/supp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3eb4911364c764572e9db4ab900a57689a54e8ce",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "0180cf0373f84fff61b16f8c062553a13dd7cfca",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "c0a9a948159153be145f9471435695373904ee6d",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "ec18520f5edc20a00c34a8c9fdd6507c355e880f",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "d61cc1a435e6894bfb0dd3370c6f765d2d12825d",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "fd9d2d6124c293e40797a080adf8a9c237efd8b8",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "21234efe2a8474a6d2d01ea9573319de7858ce44",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
},
{
"lessThan": "70b0d6b0a199c5a3ee6c72f5e61681ed6f759612",
"status": "affected",
"version": "4fb0a5eb364d239722e745c02aef0dbd4e0f1ad2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/tee/optee/supp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.12"
},
{
"lessThan": "4.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.179",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.80",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.17",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.291",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.235",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.179",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.130",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.80",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.17",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.5",
"versionStartIncluding": "4.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "4.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix supplicant wait loop\n\nOP-TEE supplicant is a user-space daemon and it\u0027s possible for it\nbe hung or crashed or killed in the middle of processing an OP-TEE\nRPC call. It becomes more complicated when there is incorrect shutdown\nordering of the supplicant process vs the OP-TEE client application which\ncan eventually lead to system hang-up waiting for the closure of the\nclient application.\n\nAllow the client process waiting in kernel for supplicant response to\nbe killed rather than indefinitely waiting in an unkillable state. Also,\na normal uninterruptible wait should not have resulted in the hung-task\nwatchdog getting triggered, but the endless loop would.\n\nThis fixes issues observed during system reboot/shutdown when supplicant\ngot hung for some reason or gets crashed/killed which lead to client\ngetting hung in an unkillable state. It in turn lead to system being in\nhung up state requiring hard power off/on to recover."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:55.829Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3eb4911364c764572e9db4ab900a57689a54e8ce"
},
{
"url": "https://git.kernel.org/stable/c/0180cf0373f84fff61b16f8c062553a13dd7cfca"
},
{
"url": "https://git.kernel.org/stable/c/c0a9a948159153be145f9471435695373904ee6d"
},
{
"url": "https://git.kernel.org/stable/c/ec18520f5edc20a00c34a8c9fdd6507c355e880f"
},
{
"url": "https://git.kernel.org/stable/c/d61cc1a435e6894bfb0dd3370c6f765d2d12825d"
},
{
"url": "https://git.kernel.org/stable/c/fd9d2d6124c293e40797a080adf8a9c237efd8b8"
},
{
"url": "https://git.kernel.org/stable/c/21234efe2a8474a6d2d01ea9573319de7858ce44"
},
{
"url": "https://git.kernel.org/stable/c/70b0d6b0a199c5a3ee6c72f5e61681ed6f759612"
}
],
"title": "tee: optee: Fix supplicant wait loop",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21871",
"datePublished": "2025-03-27T13:38:23.461Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:22:55.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21876 (GCVE-0-2025-21876)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Fix suspicious RCU usage
Commit <d74169ceb0d2> ("iommu/vt-d: Allocate DMAR fault interrupts
locally") moved the call to enable_drhd_fault_handling() to a code
path that does not hold any lock while traversing the drhd list. Fix
it by ensuring the dmar_global_lock lock is held when traversing the
drhd list.
Without this fix, the following warning is triggered:
=============================
WARNING: suspicious RCU usage
6.14.0-rc3 #55 Not tainted
-----------------------------
drivers/iommu/intel/dmar.c:2046 RCU-list traversed in non-reader section!!
other info that might help us debug this:
rcu_scheduler_active = 1, debug_locks = 1
2 locks held by cpuhp/1/23:
#0: ffffffff84a67c50 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0
#1: ffffffff84a6a380 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0
stack backtrace:
CPU: 1 UID: 0 PID: 23 Comm: cpuhp/1 Not tainted 6.14.0-rc3 #55
Call Trace:
<TASK>
dump_stack_lvl+0xb7/0xd0
lockdep_rcu_suspicious+0x159/0x1f0
? __pfx_enable_drhd_fault_handling+0x10/0x10
enable_drhd_fault_handling+0x151/0x180
cpuhp_invoke_callback+0x1df/0x990
cpuhp_thread_fun+0x1ea/0x2c0
smpboot_thread_fn+0x1f5/0x2e0
? __pfx_smpboot_thread_fn+0x10/0x10
kthread+0x12a/0x2d0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x4a/0x60
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Holding the lock in enable_drhd_fault_handling() triggers a lockdep splat
about a possible deadlock between dmar_global_lock and cpu_hotplug_lock.
This is avoided by not holding dmar_global_lock when calling
iommu_device_register(), which initiates the device probe process.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/dmar.c",
"drivers/iommu/intel/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4117c72938493a77ab53cc4b8284be8fb6ec8065",
"status": "affected",
"version": "d74169ceb0d2e32438946a2f1f9fc8c803304bd6",
"versionType": "git"
},
{
"lessThan": "c603ccbe91d189849e1439134598ec567088dcec",
"status": "affected",
"version": "d74169ceb0d2e32438946a2f1f9fc8c803304bd6",
"versionType": "git"
},
{
"lessThan": "b150654f74bf0df8e6a7936d5ec51400d9ec06d8",
"status": "affected",
"version": "d74169ceb0d2e32438946a2f1f9fc8c803304bd6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/iommu/intel/dmar.c",
"drivers/iommu/intel/iommu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.10"
},
{
"lessThan": "6.10",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix suspicious RCU usage\n\nCommit \u003cd74169ceb0d2\u003e (\"iommu/vt-d: Allocate DMAR fault interrupts\nlocally\") moved the call to enable_drhd_fault_handling() to a code\npath that does not hold any lock while traversing the drhd list. Fix\nit by ensuring the dmar_global_lock lock is held when traversing the\ndrhd list.\n\nWithout this fix, the following warning is triggered:\n =============================\n WARNING: suspicious RCU usage\n 6.14.0-rc3 #55 Not tainted\n -----------------------------\n drivers/iommu/intel/dmar.c:2046 RCU-list traversed in non-reader section!!\n other info that might help us debug this:\n rcu_scheduler_active = 1, debug_locks = 1\n 2 locks held by cpuhp/1/23:\n #0: ffffffff84a67c50 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0\n #1: ffffffff84a6a380 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x87/0x2c0\n stack backtrace:\n CPU: 1 UID: 0 PID: 23 Comm: cpuhp/1 Not tainted 6.14.0-rc3 #55\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0xb7/0xd0\n lockdep_rcu_suspicious+0x159/0x1f0\n ? __pfx_enable_drhd_fault_handling+0x10/0x10\n enable_drhd_fault_handling+0x151/0x180\n cpuhp_invoke_callback+0x1df/0x990\n cpuhp_thread_fun+0x1ea/0x2c0\n smpboot_thread_fn+0x1f5/0x2e0\n ? __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x12a/0x2d0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x4a/0x60\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nHolding the lock in enable_drhd_fault_handling() triggers a lockdep splat\nabout a possible deadlock between dmar_global_lock and cpu_hotplug_lock.\nThis is avoided by not holding dmar_global_lock when calling\niommu_device_register(), which initiates the device probe process."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:02.780Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4117c72938493a77ab53cc4b8284be8fb6ec8065"
},
{
"url": "https://git.kernel.org/stable/c/c603ccbe91d189849e1439134598ec567088dcec"
},
{
"url": "https://git.kernel.org/stable/c/b150654f74bf0df8e6a7936d5ec51400d9ec06d8"
}
],
"title": "iommu/vt-d: Fix suspicious RCU usage",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21876",
"datePublished": "2025-03-27T14:57:06.802Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:23:02.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52999 (GCVE-0-2023-52999)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 12:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: fix UaF in netns ops registration error path
If net_assign_generic() fails, the current error path in ops_init() tries
to clear the gen pointer slot. Anyway, in such error path, the gen pointer
itself has not been modified yet, and the existing and accessed one is
smaller than the accessed index, causing an out-of-bounds error:
BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320
Write of size 8 at addr ffff888109124978 by task modprobe/1018
CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x6a/0x9f
print_address_description.constprop.0+0x86/0x2b5
print_report+0x11b/0x1fb
kasan_report+0x87/0xc0
ops_init+0x2de/0x320
register_pernet_operations+0x2e4/0x750
register_pernet_subsys+0x24/0x40
tcf_register_action+0x9f/0x560
do_one_initcall+0xf9/0x570
do_init_module+0x190/0x650
load_module+0x1fa5/0x23c0
__do_sys_finit_module+0x10d/0x1b0
do_syscall_64+0x58/0x80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f42518f778d
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48
89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d
RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003
RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000
</TASK>
This change addresses the issue by skipping the gen pointer
de-reference in the mentioned error-path.
Found by code inspection and verified with explicit error injection
on a kasan-enabled kernel.
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 5a2ea549be94924364f6911227d99be86e8cf34a Version: 97ad240fd9aa9214497d14af2b91608e20856cac Version: c3edc6e808209aa705185f732e682a370981ced1 Version: a1e18acb0246bfb001b08b8b1b830b5ec92a0f13 Version: d266935ac43d57586e311a087510fe6a084af742 Version: d266935ac43d57586e311a087510fe6a084af742 Version: 4a4df5e78712de39d6f90d6a64b5eb48dca03bd5 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-52999",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:59:38.580749Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T17:08:22.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/net_namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ad0dfe9bcf0d78e699c7efb64c90ed062dc48bea",
"status": "affected",
"version": "5a2ea549be94924364f6911227d99be86e8cf34a",
"versionType": "git"
},
{
"lessThan": "ddd49cbbd4c1ceb38032018b589b44208e54f55e",
"status": "affected",
"version": "97ad240fd9aa9214497d14af2b91608e20856cac",
"versionType": "git"
},
{
"lessThan": "d4c008f3b7f7d4ffd311eb2dae5e75b3cbddacd0",
"status": "affected",
"version": "c3edc6e808209aa705185f732e682a370981ced1",
"versionType": "git"
},
{
"lessThan": "66689a72ba73575e76d4f6a8748d3fa2690ec1c4",
"status": "affected",
"version": "a1e18acb0246bfb001b08b8b1b830b5ec92a0f13",
"versionType": "git"
},
{
"lessThan": "12075708f2e77ee6a9f8bb2cf512c38be3099794",
"status": "affected",
"version": "d266935ac43d57586e311a087510fe6a084af742",
"versionType": "git"
},
{
"lessThan": "71ab9c3e2253619136c31c89dbb2c69305cc89b1",
"status": "affected",
"version": "d266935ac43d57586e311a087510fe6a084af742",
"versionType": "git"
},
{
"status": "affected",
"version": "4a4df5e78712de39d6f90d6a64b5eb48dca03bd5",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/net_namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.272",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.272",
"versionStartIncluding": "4.19.264",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "5.4.223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "5.10.153",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.15.77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "6.0.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix UaF in netns ops registration error path\n\nIf net_assign_generic() fails, the current error path in ops_init() tries\nto clear the gen pointer slot. Anyway, in such error path, the gen pointer\nitself has not been modified yet, and the existing and accessed one is\nsmaller than the accessed index, causing an out-of-bounds error:\n\n BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320\n Write of size 8 at addr ffff888109124978 by task modprobe/1018\n\n CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6a/0x9f\n print_address_description.constprop.0+0x86/0x2b5\n print_report+0x11b/0x1fb\n kasan_report+0x87/0xc0\n ops_init+0x2de/0x320\n register_pernet_operations+0x2e4/0x750\n register_pernet_subsys+0x24/0x40\n tcf_register_action+0x9f/0x560\n do_one_initcall+0xf9/0x570\n do_init_module+0x190/0x650\n load_module+0x1fa5/0x23c0\n __do_sys_finit_module+0x10d/0x1b0\n do_syscall_64+0x58/0x80\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\n RIP: 0033:0x7f42518f778d\n Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48\n 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff\n ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48\n RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139\n RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d\n RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003\n RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000\n R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000\n \u003c/TASK\u003e\n\nThis change addresses the issue by skipping the gen pointer\nde-reference in the mentioned error-path.\n\nFound by code inspection and verified with explicit error injection\non a kasan-enabled kernel."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:50:03.515Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ad0dfe9bcf0d78e699c7efb64c90ed062dc48bea"
},
{
"url": "https://git.kernel.org/stable/c/ddd49cbbd4c1ceb38032018b589b44208e54f55e"
},
{
"url": "https://git.kernel.org/stable/c/d4c008f3b7f7d4ffd311eb2dae5e75b3cbddacd0"
},
{
"url": "https://git.kernel.org/stable/c/66689a72ba73575e76d4f6a8748d3fa2690ec1c4"
},
{
"url": "https://git.kernel.org/stable/c/12075708f2e77ee6a9f8bb2cf512c38be3099794"
},
{
"url": "https://git.kernel.org/stable/c/71ab9c3e2253619136c31c89dbb2c69305cc89b1"
}
],
"title": "net: fix UaF in netns ops registration error path",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52999",
"datePublished": "2025-03-27T16:43:32.497Z",
"dateReserved": "2025-03-27T16:40:15.742Z",
"dateUpdated": "2025-05-04T12:50:03.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21885 (GCVE-0-2025-21885)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers
While using nvme target with use_srq on, below kernel panic is noticed.
[ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514)
[ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI
..
[ 566.393799] <TASK>
[ 566.393807] ? __die_body+0x1a/0x60
[ 566.393823] ? die+0x38/0x60
[ 566.393835] ? do_trap+0xe4/0x110
[ 566.393847] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]
[ 566.393867] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]
[ 566.393881] ? do_error_trap+0x7c/0x120
[ 566.393890] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]
[ 566.393911] ? exc_divide_error+0x34/0x50
[ 566.393923] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]
[ 566.393939] ? asm_exc_divide_error+0x16/0x20
[ 566.393966] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]
[ 566.393997] bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re]
[ 566.394040] bnxt_re_create_srq+0x335/0x3b0 [bnxt_re]
[ 566.394057] ? srso_return_thunk+0x5/0x5f
[ 566.394068] ? __init_swait_queue_head+0x4a/0x60
[ 566.394090] ib_create_srq_user+0xa7/0x150 [ib_core]
[ 566.394147] nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma]
[ 566.394174] ? lock_release+0x22c/0x3f0
[ 566.394187] ? srso_return_thunk+0x5/0x5f
Page size and shift info is set only for the user space SRQs.
Set page size and page shift for kernel space SRQs also.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/ib_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "722c3db62bf60cd23acbdc8c4f445bfedae4498e",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
},
{
"lessThan": "2cf8e6b52aecb8fbb71c41fe5add3212814031a2",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
},
{
"lessThan": "b66535356a4834a234f99e16a97eb51f2c6c5a7d",
"status": "affected",
"version": "0c4dcd602817502bb3dced7a834a13ef717d65a4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/hw/bnxt_re/ib_verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.7"
},
{
"lessThan": "5.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "5.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "5.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Fix the page details for the srq created by kernel consumers\n\nWhile using nvme target with use_srq on, below kernel panic is noticed.\n\n[ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514)\n[ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI\n..\n[ 566.393799] \u003cTASK\u003e\n[ 566.393807] ? __die_body+0x1a/0x60\n[ 566.393823] ? die+0x38/0x60\n[ 566.393835] ? do_trap+0xe4/0x110\n[ 566.393847] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393867] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393881] ? do_error_trap+0x7c/0x120\n[ 566.393890] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393911] ? exc_divide_error+0x34/0x50\n[ 566.393923] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393939] ? asm_exc_divide_error+0x16/0x20\n[ 566.393966] ? bnxt_qplib_alloc_init_hwq+0x1d4/0x580 [bnxt_re]\n[ 566.393997] bnxt_qplib_create_srq+0xc9/0x340 [bnxt_re]\n[ 566.394040] bnxt_re_create_srq+0x335/0x3b0 [bnxt_re]\n[ 566.394057] ? srso_return_thunk+0x5/0x5f\n[ 566.394068] ? __init_swait_queue_head+0x4a/0x60\n[ 566.394090] ib_create_srq_user+0xa7/0x150 [ib_core]\n[ 566.394147] nvmet_rdma_queue_connect+0x7d0/0xbe0 [nvmet_rdma]\n[ 566.394174] ? lock_release+0x22c/0x3f0\n[ 566.394187] ? srso_return_thunk+0x5/0x5f\n\nPage size and shift info is set only for the user space SRQs.\nSet page size and page shift for kernel space SRQs also."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:19.467Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/722c3db62bf60cd23acbdc8c4f445bfedae4498e"
},
{
"url": "https://git.kernel.org/stable/c/2cf8e6b52aecb8fbb71c41fe5add3212814031a2"
},
{
"url": "https://git.kernel.org/stable/c/b66535356a4834a234f99e16a97eb51f2c6c5a7d"
}
],
"title": "RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21885",
"datePublished": "2025-03-27T14:57:13.219Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:19.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53001 (GCVE-0-2023-53001)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:47
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/drm_vma_manager: Add drm_vma_node_allow_once()
Currently there is no easy way for a drm driver to safely check and allow
drm_vma_offset_node for a drm file just once. Allow drm drivers to call
non-refcounted version of drm_vma_node_allow() so that a driver doesn't
need to keep track of each drm_vma_node_allow() to call subsequent
drm_vma_node_revoke() to prevent memory leak.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_vma_manager.c",
"include/drm/drm_vma_manager.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "67444f8ca31cdaf45e0b761241ad49b1ae04bcf9",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "899d3a3c19ac0e5da013ce34833dccb97d19b5e4",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_vma_manager.c",
"include/drm/drm_vma_manager.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/drm_vma_manager: Add drm_vma_node_allow_once()\n\nCurrently there is no easy way for a drm driver to safely check and allow\ndrm_vma_offset_node for a drm file just once. Allow drm drivers to call\nnon-refcounted version of drm_vma_node_allow() so that a driver doesn\u0027t\nneed to keep track of each drm_vma_node_allow() to call subsequent\ndrm_vma_node_revoke() to prevent memory leak."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:47:16.708Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/67444f8ca31cdaf45e0b761241ad49b1ae04bcf9"
},
{
"url": "https://git.kernel.org/stable/c/899d3a3c19ac0e5da013ce34833dccb97d19b5e4"
}
],
"title": "drm/drm_vma_manager: Add drm_vma_node_allow_once()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53001",
"datePublished": "2025-03-27T16:43:33.829Z",
"dateReserved": "2025-03-27T16:40:15.744Z",
"dateUpdated": "2025-05-04T07:47:16.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49742 (GCVE-0-2022-49742)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
f2fs: initialize locks earlier in f2fs_fill_super()
syzbot is reporting lockdep warning at f2fs_handle_error() [1], for
spin_lock(&sbi->error_lock) is called before spin_lock_init() is called.
For safe locking in error handling, move initialization of locks (and
obvious structures) in f2fs_fill_super() to immediately after memory
allocation.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ddeff03bb33810fcf2f0c18e03d099cf0aacda62",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "92b4cf5b48955a4bdd15fe4e2067db8ebd87f04c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/f2fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: initialize locks earlier in f2fs_fill_super()\n\nsyzbot is reporting lockdep warning at f2fs_handle_error() [1], for\nspin_lock(\u0026sbi-\u003eerror_lock) is called before spin_lock_init() is called.\nFor safe locking in error handling, move initialization of locks (and\nobvious structures) in f2fs_fill_super() to immediately after memory\nallocation."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:25.162Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ddeff03bb33810fcf2f0c18e03d099cf0aacda62"
},
{
"url": "https://git.kernel.org/stable/c/92b4cf5b48955a4bdd15fe4e2067db8ebd87f04c"
}
],
"title": "f2fs: initialize locks earlier in f2fs_fill_super()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49742",
"datePublished": "2025-03-27T16:42:53.656Z",
"dateReserved": "2025-03-27T16:39:17.986Z",
"dateUpdated": "2025-05-04T08:44:25.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52937 (GCVE-0-2023-52937)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HV: hv_balloon: fix memory leak with using debugfs_lookup()
When calling debugfs_lookup() the result must have dput() called on it,
otherwise the memory will leak over time. To make things simpler, just
call debugfs_lookup_and_remove() instead which handles all of the logic
at once.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hv/hv_balloon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0b570a059cf42ad6e2eb632f47c23813d58d8303",
"status": "affected",
"version": "d180e0a1be6cea2b7436fadbd1c96aecdf3c46c7",
"versionType": "git"
},
{
"lessThan": "6dfb0771429a63db8561d44147f2bb76f93e1c86",
"status": "affected",
"version": "d180e0a1be6cea2b7436fadbd1c96aecdf3c46c7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hv/hv_balloon.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHV: hv_balloon: fix memory leak with using debugfs_lookup()\n\nWhen calling debugfs_lookup() the result must have dput() called on it,\notherwise the memory will leak over time. To make things simpler, just\ncall debugfs_lookup_and_remove() instead which handles all of the logic\nat once."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:22.690Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0b570a059cf42ad6e2eb632f47c23813d58d8303"
},
{
"url": "https://git.kernel.org/stable/c/6dfb0771429a63db8561d44147f2bb76f93e1c86"
}
],
"title": "HV: hv_balloon: fix memory leak with using debugfs_lookup()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52937",
"datePublished": "2025-03-27T16:37:16.742Z",
"dateReserved": "2024-08-21T06:07:11.021Z",
"dateUpdated": "2025-05-04T07:46:22.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53026 (GCVE-0-2023-53026)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/core: Fix ib block iterator counter overflow
When registering a new DMA MR after selecting the best aligned page size
for it, we iterate over the given sglist to split each entry to smaller,
aligned to the selected page size, DMA blocks.
In given circumstances where the sg entry and page size fit certain
sizes and the sg entry is not aligned to the selected page size, the
total size of the aligned pages we need to cover the sg entry is >= 4GB.
Under this circumstances, while iterating page aligned blocks, the
counter responsible for counting how much we advanced from the start of
the sg entry is overflowed because its type is u32 and we pass 4GB in
size. This can lead to an infinite loop inside the iterator function
because the overflow prevents the counter to be larger
than the size of the sg entry.
Fix the presented problem by changing the advancement condition to
eliminate overflow.
Backtrace:
[ 192.374329] efa_reg_user_mr_dmabuf
[ 192.376783] efa_register_mr
[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000
[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000]
[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3
[ 192.399559] hp_cnt[3], pages_in_hp[524288]
[ 192.403690] umem->sgt_append.sgt.nents[1]
[ 192.407905] number entries: [1], pg_bit: [31]
[ 192.411397] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
[ 192.415601] biter->__sg_advance [665837568] sg_dma_len[3221225472]
[ 192.419823] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
[ 192.423976] biter->__sg_advance [2813321216] sg_dma_len[3221225472]
[ 192.428243] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8]
[ 192.432397] biter->__sg_advance [665837568] sg_dma_len[3221225472]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: a808273a495c657e33281b181fd7fcc2bb28f662 Version: a808273a495c657e33281b181fd7fcc2bb28f662 Version: a808273a495c657e33281b181fd7fcc2bb28f662 Version: a808273a495c657e33281b181fd7fcc2bb28f662 Version: a808273a495c657e33281b181fd7fcc2bb28f662 |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "902063a9fea5f8252df392ade746bc9cfd07a5ae",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "d66c1d4178c219b6e7d7a6f714e3e3656faccc36",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "362c9489720b31b6aa7491423ba65a4e98aa9838",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "43811d07ea64366af8ec9e168c558ec51440c39e",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
},
{
"lessThan": "0afec5e9cea732cb47014655685a2a47fb180c31",
"status": "affected",
"version": "a808273a495c657e33281b181fd7fcc2bb28f662",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/verbs.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.2"
},
{
"lessThan": "5.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.231",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.231",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix ib block iterator counter overflow\n\nWhen registering a new DMA MR after selecting the best aligned page size\nfor it, we iterate over the given sglist to split each entry to smaller,\naligned to the selected page size, DMA blocks.\n\nIn given circumstances where the sg entry and page size fit certain\nsizes and the sg entry is not aligned to the selected page size, the\ntotal size of the aligned pages we need to cover the sg entry is \u003e= 4GB.\nUnder this circumstances, while iterating page aligned blocks, the\ncounter responsible for counting how much we advanced from the start of\nthe sg entry is overflowed because its type is u32 and we pass 4GB in\nsize. This can lead to an infinite loop inside the iterator function\nbecause the overflow prevents the counter to be larger\nthan the size of the sg entry.\n\nFix the presented problem by changing the advancement condition to\neliminate overflow.\n\nBacktrace:\n[ 192.374329] efa_reg_user_mr_dmabuf\n[ 192.376783] efa_register_mr\n[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000\n[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000]\n[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3\n[ 192.399559] hp_cnt[3], pages_in_hp[524288]\n[ 192.403690] umem-\u003esgt_append.sgt.nents[1]\n[ 192.407905] number entries: [1], pg_bit: [31]\n[ 192.411397] biter-\u003e__sg_nents [1] biter-\u003e__sg [0000000008b0c5d8]\n[ 192.415601] biter-\u003e__sg_advance [665837568] sg_dma_len[3221225472]\n[ 192.419823] biter-\u003e__sg_nents [1] biter-\u003e__sg [0000000008b0c5d8]\n[ 192.423976] biter-\u003e__sg_advance [2813321216] sg_dma_len[3221225472]\n[ 192.428243] biter-\u003e__sg_nents [1] biter-\u003e__sg [0000000008b0c5d8]\n[ 192.432397] biter-\u003e__sg_advance [665837568] sg_dma_len[3221225472]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:48:02.656Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/902063a9fea5f8252df392ade746bc9cfd07a5ae"
},
{
"url": "https://git.kernel.org/stable/c/d66c1d4178c219b6e7d7a6f714e3e3656faccc36"
},
{
"url": "https://git.kernel.org/stable/c/362c9489720b31b6aa7491423ba65a4e98aa9838"
},
{
"url": "https://git.kernel.org/stable/c/43811d07ea64366af8ec9e168c558ec51440c39e"
},
{
"url": "https://git.kernel.org/stable/c/0afec5e9cea732cb47014655685a2a47fb180c31"
}
],
"title": "RDMA/core: Fix ib block iterator counter overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53026",
"datePublished": "2025-03-27T16:43:51.194Z",
"dateReserved": "2025-03-27T16:40:15.756Z",
"dateUpdated": "2025-05-04T07:48:02.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21882 (GCVE-0-2025-21882)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:23
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix vport QoS cleanup on error
When enabling vport QoS fails, the scheduling node was never freed,
causing a leak.
Add the missing free and reset the vport scheduling node pointer to
NULL.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "fead368502bce0e10bea7c0d2895b2fa0c6c10aa",
"status": "affected",
"version": "be034baba83e2a80a0b2c0f24c08547b6eedc79a",
"versionType": "git"
},
{
"lessThan": "7f3528f7d2f98b70e19a6bb7b130fc82c079ac54",
"status": "affected",
"version": "be034baba83e2a80a0b2c0f24c08547b6eedc79a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.13"
},
{
"lessThan": "6.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Fix vport QoS cleanup on error\n\nWhen enabling vport QoS fails, the scheduling node was never freed,\ncausing a leak.\n\nAdd the missing free and reset the vport scheduling node pointer to\nNULL."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:23:15.528Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/fead368502bce0e10bea7c0d2895b2fa0c6c10aa"
},
{
"url": "https://git.kernel.org/stable/c/7f3528f7d2f98b70e19a6bb7b130fc82c079ac54"
}
],
"title": "net/mlx5: Fix vport QoS cleanup on error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21882",
"datePublished": "2025-03-27T14:57:10.906Z",
"dateReserved": "2024-12-29T08:45:45.782Z",
"dateUpdated": "2025-05-04T07:23:15.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-49749 (GCVE-0-2022-49749)
Vulnerability from cvelistv5
Published
2025-03-27 16:42
Modified
2025-05-04 08:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: designware: use casting of u64 in clock multiplication to avoid overflow
In functions i2c_dw_scl_lcnt() and i2c_dw_scl_hcnt() may have overflow
by depending on the values of the given parameters including the ic_clk.
For example in our use case where ic_clk is larger than one million,
multiplication of ic_clk * 4700 will result in 32 bit overflow.
Add cast of u64 to the calculation to avoid multiplication overflow, and
use the corresponding define for divide.
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-designware-common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "ed173f77fd28a3e4fffc13b3f28687b9eba61157",
"status": "affected",
"version": "2373f6b9744d5373b886f3ce1a985193cca0a356",
"versionType": "git"
},
{
"lessThan": "2f29d780bd691d20e89e5b35d5e6568607115e94",
"status": "affected",
"version": "2373f6b9744d5373b886f3ce1a985193cca0a356",
"versionType": "git"
},
{
"lessThan": "9f36aae9e80e79b7a6d62227eaa96935166be9fe",
"status": "affected",
"version": "2373f6b9744d5373b886f3ce1a985193cca0a356",
"versionType": "git"
},
{
"lessThan": "c8c37bc514514999e62a17e95160ed9ebf75ca8d",
"status": "affected",
"version": "2373f6b9744d5373b886f3ce1a985193cca0a356",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-designware-common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.166",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.91",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.166",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.91",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.9",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: designware: use casting of u64 in clock multiplication to avoid overflow\n\nIn functions i2c_dw_scl_lcnt() and i2c_dw_scl_hcnt() may have overflow\nby depending on the values of the given parameters including the ic_clk.\nFor example in our use case where ic_clk is larger than one million,\nmultiplication of ic_clk * 4700 will result in 32 bit overflow.\n\nAdd cast of u64 to the calculation to avoid multiplication overflow, and\nuse the corresponding define for divide."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:44:33.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/ed173f77fd28a3e4fffc13b3f28687b9eba61157"
},
{
"url": "https://git.kernel.org/stable/c/2f29d780bd691d20e89e5b35d5e6568607115e94"
},
{
"url": "https://git.kernel.org/stable/c/9f36aae9e80e79b7a6d62227eaa96935166be9fe"
},
{
"url": "https://git.kernel.org/stable/c/c8c37bc514514999e62a17e95160ed9ebf75ca8d"
}
],
"title": "i2c: designware: use casting of u64 in clock multiplication to avoid overflow",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49749",
"datePublished": "2025-03-27T16:42:58.426Z",
"dateReserved": "2025-03-27T16:39:17.988Z",
"dateUpdated": "2025-05-04T08:44:33.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52934 (GCVE-0-2023-52934)
Vulnerability from cvelistv5
Published
2025-03-27 16:37
Modified
2025-05-04 07:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
mm/MADV_COLLAPSE: catch !none !huge !bad pmd lookups
In commit 34488399fa08 ("mm/madvise: add file and shmem support to
MADV_COLLAPSE") we make the following change to find_pmd_or_thp_or_none():
- if (!pmd_present(pmde))
- return SCAN_PMD_NULL;
+ if (pmd_none(pmde))
+ return SCAN_PMD_NONE;
This was for-use by MADV_COLLAPSE file/shmem codepaths, where
MADV_COLLAPSE might identify a pte-mapped hugepage, only to have
khugepaged race-in, free the pte table, and clear the pmd. Such codepaths
include:
A) If we find a suitably-aligned compound page of order HPAGE_PMD_ORDER
already in the pagecache.
B) In retract_page_tables(), if we fail to grab mmap_lock for the target
mm/address.
In these cases, collapse_pte_mapped_thp() really does expect a none (not
just !present) pmd, and we want to suitably identify that case separate
from the case where no pmd is found, or it's a bad-pmd (of course, many
things could happen once we drop mmap_lock, and the pmd could plausibly
undergo multiple transitions due to intervening fault, split, etc).
Regardless, the code is prepared install a huge-pmd only when the existing
pmd entry is either a genuine pte-table-mapping-pmd, or the none-pmd.
However, the commit introduces a logical hole; namely, that we've allowed
!none- && !huge- && !bad-pmds to be classified as genuine
pte-table-mapping-pmds. One such example that could leak through are swap
entries. The pmd values aren't checked again before use in
pte_offset_map_lock(), which is expecting nothing less than a genuine
pte-table-mapping-pmd.
We want to put back the !pmd_present() check (below the pmd_none() check),
but need to be careful to deal with subtleties in pmd transitions and
treatments by various arch.
The issue is that __split_huge_pmd_locked() temporarily clears the present
bit (or otherwise marks the entry as invalid), but pmd_present() and
pmd_trans_huge() still need to return true while the pmd is in this
transitory state. For example, x86's pmd_present() also checks the
_PAGE_PSE , riscv's version also checks the _PAGE_LEAF bit, and arm64 also
checks a PMD_PRESENT_INVALID bit.
Covering all 4 cases for x86 (all checks done on the same pmd value):
1) pmd_present() && pmd_trans_huge()
All we actually know here is that the PSE bit is set. Either:
a) We aren't racing with __split_huge_page(), and PRESENT or PROTNONE
is set.
=> huge-pmd
b) We are currently racing with __split_huge_page(). The danger here
is that we proceed as-if we have a huge-pmd, but really we are
looking at a pte-mapping-pmd. So, what is the risk of this
danger?
The only relevant path is:
madvise_collapse() -> collapse_pte_mapped_thp()
Where we might just incorrectly report back "success", when really
the memory isn't pmd-backed. This is fine, since split could
happen immediately after (actually) successful madvise_collapse().
So, it should be safe to just assume huge-pmd here.
2) pmd_present() && !pmd_trans_huge()
Either:
a) PSE not set and either PRESENT or PROTNONE is.
=> pte-table-mapping pmd (or PROT_NONE)
b) devmap. This routine can be called immediately after
unlocking/locking mmap_lock -- or called with no locks held (see
khugepaged_scan_mm_slot()), so previous VMA checks have since been
invalidated.
3) !pmd_present() && pmd_trans_huge()
Not possible.
4) !pmd_present() && !pmd_trans_huge()
Neither PRESENT nor PROTNONE set
=> not present
I've checked all archs that implement pmd_trans_huge() (arm64, riscv,
powerpc, longarch, x86, mips, s390) and this logic roughly translates
(though devmap treatment is unique to x86 and powerpc, and (3) doesn't
necessarily hold in general -- but that doesn't matter since
!pmd_present() always takes failure path).
Also, add a comment above find_pmd_or_thp_or_none()
---truncated---
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"mm/khugepaged.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "96aaaf8666010a39430cecf8a65c7ce2908a030f",
"status": "affected",
"version": "34488399fa08faaf664743fa54b271eb6f9e1321",
"versionType": "git"
},
{
"lessThan": "edb5d0cf5525357652aff6eacd9850b8ced07143",
"status": "affected",
"version": "34488399fa08faaf664743fa54b271eb6f9e1321",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"mm/khugepaged.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.1"
},
{
"lessThan": "6.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.11",
"versionStartIncluding": "6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/MADV_COLLAPSE: catch !none !huge !bad pmd lookups\n\nIn commit 34488399fa08 (\"mm/madvise: add file and shmem support to\nMADV_COLLAPSE\") we make the following change to find_pmd_or_thp_or_none():\n\n\t- if (!pmd_present(pmde))\n\t- return SCAN_PMD_NULL;\n\t+ if (pmd_none(pmde))\n\t+ return SCAN_PMD_NONE;\n\nThis was for-use by MADV_COLLAPSE file/shmem codepaths, where\nMADV_COLLAPSE might identify a pte-mapped hugepage, only to have\nkhugepaged race-in, free the pte table, and clear the pmd. Such codepaths\ninclude:\n\nA) If we find a suitably-aligned compound page of order HPAGE_PMD_ORDER\n already in the pagecache.\nB) In retract_page_tables(), if we fail to grab mmap_lock for the target\n mm/address.\n\nIn these cases, collapse_pte_mapped_thp() really does expect a none (not\njust !present) pmd, and we want to suitably identify that case separate\nfrom the case where no pmd is found, or it\u0027s a bad-pmd (of course, many\nthings could happen once we drop mmap_lock, and the pmd could plausibly\nundergo multiple transitions due to intervening fault, split, etc). \nRegardless, the code is prepared install a huge-pmd only when the existing\npmd entry is either a genuine pte-table-mapping-pmd, or the none-pmd.\n\nHowever, the commit introduces a logical hole; namely, that we\u0027ve allowed\n!none- \u0026\u0026 !huge- \u0026\u0026 !bad-pmds to be classified as genuine\npte-table-mapping-pmds. One such example that could leak through are swap\nentries. The pmd values aren\u0027t checked again before use in\npte_offset_map_lock(), which is expecting nothing less than a genuine\npte-table-mapping-pmd.\n\nWe want to put back the !pmd_present() check (below the pmd_none() check),\nbut need to be careful to deal with subtleties in pmd transitions and\ntreatments by various arch.\n\nThe issue is that __split_huge_pmd_locked() temporarily clears the present\nbit (or otherwise marks the entry as invalid), but pmd_present() and\npmd_trans_huge() still need to return true while the pmd is in this\ntransitory state. For example, x86\u0027s pmd_present() also checks the\n_PAGE_PSE , riscv\u0027s version also checks the _PAGE_LEAF bit, and arm64 also\nchecks a PMD_PRESENT_INVALID bit.\n\nCovering all 4 cases for x86 (all checks done on the same pmd value):\n\n1) pmd_present() \u0026\u0026 pmd_trans_huge()\n All we actually know here is that the PSE bit is set. Either:\n a) We aren\u0027t racing with __split_huge_page(), and PRESENT or PROTNONE\n is set.\n =\u003e huge-pmd\n b) We are currently racing with __split_huge_page(). The danger here\n is that we proceed as-if we have a huge-pmd, but really we are\n looking at a pte-mapping-pmd. So, what is the risk of this\n danger?\n\n The only relevant path is:\n\n\tmadvise_collapse() -\u003e collapse_pte_mapped_thp()\n\n Where we might just incorrectly report back \"success\", when really\n the memory isn\u0027t pmd-backed. This is fine, since split could\n happen immediately after (actually) successful madvise_collapse().\n So, it should be safe to just assume huge-pmd here.\n\n2) pmd_present() \u0026\u0026 !pmd_trans_huge()\n Either:\n a) PSE not set and either PRESENT or PROTNONE is.\n =\u003e pte-table-mapping pmd (or PROT_NONE)\n b) devmap. This routine can be called immediately after\n unlocking/locking mmap_lock -- or called with no locks held (see\n khugepaged_scan_mm_slot()), so previous VMA checks have since been\n invalidated.\n\n3) !pmd_present() \u0026\u0026 pmd_trans_huge()\n Not possible.\n\n4) !pmd_present() \u0026\u0026 !pmd_trans_huge()\n Neither PRESENT nor PROTNONE set\n =\u003e not present\n\nI\u0027ve checked all archs that implement pmd_trans_huge() (arm64, riscv,\npowerpc, longarch, x86, mips, s390) and this logic roughly translates\n(though devmap treatment is unique to x86 and powerpc, and (3) doesn\u0027t\nnecessarily hold in general -- but that doesn\u0027t matter since\n!pmd_present() always takes failure path).\n\nAlso, add a comment above find_pmd_or_thp_or_none()\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:46:19.066Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/96aaaf8666010a39430cecf8a65c7ce2908a030f"
},
{
"url": "https://git.kernel.org/stable/c/edb5d0cf5525357652aff6eacd9850b8ced07143"
}
],
"title": "mm/MADV_COLLAPSE: catch !none !huge !bad pmd lookups",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52934",
"datePublished": "2025-03-27T16:37:14.857Z",
"dateReserved": "2024-08-21T06:07:11.020Z",
"dateUpdated": "2025-05-04T07:46:19.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-21873 (GCVE-0-2025-21873)
Vulnerability from cvelistv5
Published
2025-03-27 14:57
Modified
2025-05-04 07:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: bsg: Fix crash when arpmb command fails
If the device doesn't support arpmb we'll crash due to copying user data in
bsg_transport_sg_io_fn().
In the case where ufs_bsg_exec_advanced_rpmb_req() returns an error, do not
set the job's reply_len.
Memory crash backtrace:
3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22
4,1308,531166555,-;Call Trace:
4,1309,531166559,-; <TASK>
4,1310,531166565,-; ? show_regs+0x6d/0x80
4,1311,531166575,-; ? die+0x37/0xa0
4,1312,531166583,-; ? do_trap+0xd4/0xf0
4,1313,531166593,-; ? do_error_trap+0x71/0xb0
4,1314,531166601,-; ? usercopy_abort+0x6c/0x80
4,1315,531166610,-; ? exc_invalid_op+0x52/0x80
4,1316,531166622,-; ? usercopy_abort+0x6c/0x80
4,1317,531166630,-; ? asm_exc_invalid_op+0x1b/0x20
4,1318,531166643,-; ? usercopy_abort+0x6c/0x80
4,1319,531166652,-; __check_heap_object+0xe3/0x120
4,1320,531166661,-; check_heap_object+0x185/0x1d0
4,1321,531166670,-; __check_object_size.part.0+0x72/0x150
4,1322,531166679,-; __check_object_size+0x23/0x30
4,1323,531166688,-; bsg_transport_sg_io_fn+0x314/0x3b0
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufs_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "32fb5ec825f6f76bc28902181c65429a904a07fe",
"status": "affected",
"version": "6ff265fc5ef660499e0edc4641647e99eed3f519",
"versionType": "git"
},
{
"lessThan": "59455f968c1004ed897ba873237657745d81ce0f",
"status": "affected",
"version": "6ff265fc5ef660499e0edc4641647e99eed3f519",
"versionType": "git"
},
{
"lessThan": "7e3c96ff5c5f3206984ed077b2aa8c9b7c4e0327",
"status": "affected",
"version": "6ff265fc5ef660499e0edc4641647e99eed3f519",
"versionType": "git"
},
{
"lessThan": "f27a95845b01e86d67c8b014b4f41bd3327daa63",
"status": "affected",
"version": "6ff265fc5ef660499e0edc4641647e99eed3f519",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/ufs/core/ufs_bsg.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.14",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.81",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.18",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.6",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: bsg: Fix crash when arpmb command fails\n\nIf the device doesn\u0027t support arpmb we\u0027ll crash due to copying user data in\nbsg_transport_sg_io_fn().\n\nIn the case where ufs_bsg_exec_advanced_rpmb_req() returns an error, do not\nset the job\u0027s reply_len.\n\nMemory crash backtrace:\n3,1290,531166405,-;ufshcd 0000:00:12.5: ARPMB OP failed: error code -22\n\n4,1308,531166555,-;Call Trace:\n\n4,1309,531166559,-; \u003cTASK\u003e\n\n4,1310,531166565,-; ? show_regs+0x6d/0x80\n\n4,1311,531166575,-; ? die+0x37/0xa0\n\n4,1312,531166583,-; ? do_trap+0xd4/0xf0\n\n4,1313,531166593,-; ? do_error_trap+0x71/0xb0\n\n4,1314,531166601,-; ? usercopy_abort+0x6c/0x80\n\n4,1315,531166610,-; ? exc_invalid_op+0x52/0x80\n\n4,1316,531166622,-; ? usercopy_abort+0x6c/0x80\n\n4,1317,531166630,-; ? asm_exc_invalid_op+0x1b/0x20\n\n4,1318,531166643,-; ? usercopy_abort+0x6c/0x80\n\n4,1319,531166652,-; __check_heap_object+0xe3/0x120\n\n4,1320,531166661,-; check_heap_object+0x185/0x1d0\n\n4,1321,531166670,-; __check_object_size.part.0+0x72/0x150\n\n4,1322,531166679,-; __check_object_size+0x23/0x30\n\n4,1323,531166688,-; bsg_transport_sg_io_fn+0x314/0x3b0"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:22:58.528Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/32fb5ec825f6f76bc28902181c65429a904a07fe"
},
{
"url": "https://git.kernel.org/stable/c/59455f968c1004ed897ba873237657745d81ce0f"
},
{
"url": "https://git.kernel.org/stable/c/7e3c96ff5c5f3206984ed077b2aa8c9b7c4e0327"
},
{
"url": "https://git.kernel.org/stable/c/f27a95845b01e86d67c8b014b4f41bd3327daa63"
}
],
"title": "scsi: ufs: core: bsg: Fix crash when arpmb command fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-21873",
"datePublished": "2025-03-27T14:57:04.835Z",
"dateReserved": "2024-12-29T08:45:45.781Z",
"dateUpdated": "2025-05-04T07:22:58.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-53031 (GCVE-0-2023-53031)
Vulnerability from cvelistv5
Published
2025-03-27 16:43
Modified
2025-05-04 07:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
powerpc/imc-pmu: Fix use of mutex in IRQs disabled section
Current imc-pmu code triggers a WARNING with CONFIG_DEBUG_ATOMIC_SLEEP
and CONFIG_PROVE_LOCKING enabled, while running a thread_imc event.
Command to trigger the warning:
# perf stat -e thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/ sleep 5
Performance counter stats for 'sleep 5':
0 thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/
5.002117947 seconds time elapsed
0.000131000 seconds user
0.001063000 seconds sys
Below is snippet of the warning in dmesg:
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 2869, name: perf-exec
preempt_count: 2, expected: 0
4 locks held by perf-exec/2869:
#0: c00000004325c540 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: bprm_execve+0x64/0xa90
#1: c00000004325c5d8 (&sig->exec_update_lock){++++}-{3:3}, at: begin_new_exec+0x460/0xef0
#2: c0000003fa99d4e0 (&cpuctx_lock){-...}-{2:2}, at: perf_event_exec+0x290/0x510
#3: c000000017ab8418 (&ctx->lock){....}-{2:2}, at: perf_event_exec+0x29c/0x510
irq event stamp: 4806
hardirqs last enabled at (4805): [<c000000000f65b94>] _raw_spin_unlock_irqrestore+0x94/0xd0
hardirqs last disabled at (4806): [<c0000000003fae44>] perf_event_exec+0x394/0x510
softirqs last enabled at (0): [<c00000000013c404>] copy_process+0xc34/0x1ff0
softirqs last disabled at (0): [<0000000000000000>] 0x0
CPU: 36 PID: 2869 Comm: perf-exec Not tainted 6.2.0-rc2-00011-g1247637727f2 #61
Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV
Call Trace:
dump_stack_lvl+0x98/0xe0 (unreliable)
__might_resched+0x2f8/0x310
__mutex_lock+0x6c/0x13f0
thread_imc_event_add+0xf4/0x1b0
event_sched_in+0xe0/0x210
merge_sched_in+0x1f0/0x600
visit_groups_merge.isra.92.constprop.166+0x2bc/0x6c0
ctx_flexible_sched_in+0xcc/0x140
ctx_sched_in+0x20c/0x2a0
ctx_resched+0x104/0x1c0
perf_event_exec+0x340/0x510
begin_new_exec+0x730/0xef0
load_elf_binary+0x3f8/0x1e10
...
do not call blocking ops when !TASK_RUNNING; state=2001 set at [<00000000fd63e7cf>] do_nanosleep+0x60/0x1a0
WARNING: CPU: 36 PID: 2869 at kernel/sched/core.c:9912 __might_sleep+0x9c/0xb0
CPU: 36 PID: 2869 Comm: sleep Tainted: G W 6.2.0-rc2-00011-g1247637727f2 #61
Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV
NIP: c000000000194a1c LR: c000000000194a18 CTR: c000000000a78670
REGS: c00000004d2134e0 TRAP: 0700 Tainted: G W (6.2.0-rc2-00011-g1247637727f2)
MSR: 9000000000021033 <SF,HV,ME,IR,DR,RI,LE> CR: 48002824 XER: 00000000
CFAR: c00000000013fb64 IRQMASK: 1
The above warning triggered because the current imc-pmu code uses mutex
lock in interrupt disabled sections. The function mutex_lock()
internally calls __might_resched(), which will check if IRQs are
disabled and in case IRQs are disabled, it will trigger the warning.
Fix the issue by changing the mutex lock to spinlock.
[mpe: Fix comments, trim oops in change log, add reported-by tags]
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Linux | Linux |
Version: 8f95faaac56c18b32d0e23ace55417a440abdb7e Version: 8f95faaac56c18b32d0e23ace55417a440abdb7e Version: 8f95faaac56c18b32d0e23ace55417a440abdb7e Version: 8f95faaac56c18b32d0e23ace55417a440abdb7e Version: 8f95faaac56c18b32d0e23ace55417a440abdb7e |
||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/imc-pmu.h",
"arch/powerpc/perf/imc-pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0c6d2a31026102d4738b47a610bed4401b9834f",
"status": "affected",
"version": "8f95faaac56c18b32d0e23ace55417a440abdb7e",
"versionType": "git"
},
{
"lessThan": "8cbeb60320ac45a8240b561c8ef466b86c34dedc",
"status": "affected",
"version": "8f95faaac56c18b32d0e23ace55417a440abdb7e",
"versionType": "git"
},
{
"lessThan": "a90d339f1f66be4a946769b565668e2bd0686dfa",
"status": "affected",
"version": "8f95faaac56c18b32d0e23ace55417a440abdb7e",
"versionType": "git"
},
{
"lessThan": "424bcb570cb320d1d15238cd4c933522b90f78fa",
"status": "affected",
"version": "8f95faaac56c18b32d0e23ace55417a440abdb7e",
"versionType": "git"
},
{
"lessThan": "76d588dddc459fefa1da96e0a081a397c5c8e216",
"status": "affected",
"version": "8f95faaac56c18b32d0e23ace55417a440abdb7e",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/powerpc/include/asm/imc-pmu.h",
"arch/powerpc/perf/imc-pmu.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.14"
},
{
"lessThan": "4.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.229",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.229",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.164",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.89",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.7",
"versionStartIncluding": "4.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2",
"versionStartIncluding": "4.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/imc-pmu: Fix use of mutex in IRQs disabled section\n\nCurrent imc-pmu code triggers a WARNING with CONFIG_DEBUG_ATOMIC_SLEEP\nand CONFIG_PROVE_LOCKING enabled, while running a thread_imc event.\n\nCommand to trigger the warning:\n # perf stat -e thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/ sleep 5\n\n Performance counter stats for \u0027sleep 5\u0027:\n\n 0 thread_imc/CPM_CS_FROM_L4_MEM_X_DPTEG/\n\n 5.002117947 seconds time elapsed\n\n 0.000131000 seconds user\n 0.001063000 seconds sys\n\nBelow is snippet of the warning in dmesg:\n\n BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580\n in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 2869, name: perf-exec\n preempt_count: 2, expected: 0\n 4 locks held by perf-exec/2869:\n #0: c00000004325c540 (\u0026sig-\u003ecred_guard_mutex){+.+.}-{3:3}, at: bprm_execve+0x64/0xa90\n #1: c00000004325c5d8 (\u0026sig-\u003eexec_update_lock){++++}-{3:3}, at: begin_new_exec+0x460/0xef0\n #2: c0000003fa99d4e0 (\u0026cpuctx_lock){-...}-{2:2}, at: perf_event_exec+0x290/0x510\n #3: c000000017ab8418 (\u0026ctx-\u003elock){....}-{2:2}, at: perf_event_exec+0x29c/0x510\n irq event stamp: 4806\n hardirqs last enabled at (4805): [\u003cc000000000f65b94\u003e] _raw_spin_unlock_irqrestore+0x94/0xd0\n hardirqs last disabled at (4806): [\u003cc0000000003fae44\u003e] perf_event_exec+0x394/0x510\n softirqs last enabled at (0): [\u003cc00000000013c404\u003e] copy_process+0xc34/0x1ff0\n softirqs last disabled at (0): [\u003c0000000000000000\u003e] 0x0\n CPU: 36 PID: 2869 Comm: perf-exec Not tainted 6.2.0-rc2-00011-g1247637727f2 #61\n Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV\n Call Trace:\n dump_stack_lvl+0x98/0xe0 (unreliable)\n __might_resched+0x2f8/0x310\n __mutex_lock+0x6c/0x13f0\n thread_imc_event_add+0xf4/0x1b0\n event_sched_in+0xe0/0x210\n merge_sched_in+0x1f0/0x600\n visit_groups_merge.isra.92.constprop.166+0x2bc/0x6c0\n ctx_flexible_sched_in+0xcc/0x140\n ctx_sched_in+0x20c/0x2a0\n ctx_resched+0x104/0x1c0\n perf_event_exec+0x340/0x510\n begin_new_exec+0x730/0xef0\n load_elf_binary+0x3f8/0x1e10\n ...\n do not call blocking ops when !TASK_RUNNING; state=2001 set at [\u003c00000000fd63e7cf\u003e] do_nanosleep+0x60/0x1a0\n WARNING: CPU: 36 PID: 2869 at kernel/sched/core.c:9912 __might_sleep+0x9c/0xb0\n CPU: 36 PID: 2869 Comm: sleep Tainted: G W 6.2.0-rc2-00011-g1247637727f2 #61\n Hardware name: 8375-42A POWER9 0x4e1202 opal:v7.0-16-g9b85f7d961 PowerNV\n NIP: c000000000194a1c LR: c000000000194a18 CTR: c000000000a78670\n REGS: c00000004d2134e0 TRAP: 0700 Tainted: G W (6.2.0-rc2-00011-g1247637727f2)\n MSR: 9000000000021033 \u003cSF,HV,ME,IR,DR,RI,LE\u003e CR: 48002824 XER: 00000000\n CFAR: c00000000013fb64 IRQMASK: 1\n\nThe above warning triggered because the current imc-pmu code uses mutex\nlock in interrupt disabled sections. The function mutex_lock()\ninternally calls __might_resched(), which will check if IRQs are\ndisabled and in case IRQs are disabled, it will trigger the warning.\n\nFix the issue by changing the mutex lock to spinlock.\n\n[mpe: Fix comments, trim oops in change log, add reported-by tags]"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T07:48:07.136Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0c6d2a31026102d4738b47a610bed4401b9834f"
},
{
"url": "https://git.kernel.org/stable/c/8cbeb60320ac45a8240b561c8ef466b86c34dedc"
},
{
"url": "https://git.kernel.org/stable/c/a90d339f1f66be4a946769b565668e2bd0686dfa"
},
{
"url": "https://git.kernel.org/stable/c/424bcb570cb320d1d15238cd4c933522b90f78fa"
},
{
"url": "https://git.kernel.org/stable/c/76d588dddc459fefa1da96e0a081a397c5c8e216"
}
],
"title": "powerpc/imc-pmu: Fix use of mutex in IRQs disabled section",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53031",
"datePublished": "2025-03-27T16:43:59.607Z",
"dateReserved": "2025-03-27T16:40:15.757Z",
"dateUpdated": "2025-05-04T07:48:07.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…