Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-0893
Vulnerability from certfr_avis - Published: 2025-10-17 - Updated: 2025-10-17
De multiples vulnérabilités ont été découvertes dans le noyau Linux de Red Hat. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 8.6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian 8 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems 8 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.0 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - TUS 8.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems 8 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 9 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian 10 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 10 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time 8 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - AUS 9.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - AUS 9.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 10 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - AUS 8.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 9 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.0 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems 10 s390x | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 9.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian 9 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 10 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.4 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Real Time 8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.4 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.6 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 10 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 8 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 8 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 10 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 8 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.6 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Real Time for NFV 8 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 9.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 9 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - TUS 8.6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 8 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.0 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - AUS 9.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems 9 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems 9 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - AUS 9.2 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 10 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Real Time for NFV 8 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.0 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.6 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.6 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian 9 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for IBM z Systems 10 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for x86_64 9 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 9 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for Power, little endian 10 ppc64le | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux Server | Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 | ||
| Red Hat | Red Hat Enterprise Linux | Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x | ||
| Red Hat | Red Hat CodeReady Linux Builder | Red Hat Enterprise Linux for Power, little endian 8 ppc64le |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 8 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 8 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.0 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 8 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 8 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 9 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 10 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 10 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time 8 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.2 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.4 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 10 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 8.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 8 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 9 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.0 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 10 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 9 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 10 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.4 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time 8 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.4 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 9 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.6 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 10 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 8 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 8 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 10 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 8 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.6 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV 8 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 9 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - TUS 8.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 8 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.0 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 9 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 9 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - AUS 9.2 x86_64",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 10 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Real Time for NFV 8 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.0 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.6 aarch64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.6 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 9 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems 10 s390x",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for x86_64 9 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 9 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 10 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le",
"product": {
"name": "Red Hat Enterprise Linux Server",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64",
"product": {
"name": "Red Hat Enterprise Linux",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
},
{
"description": "Red Hat Enterprise Linux for Power, little endian 8 ppc64le",
"product": {
"name": "Red Hat CodeReady Linux Builder",
"vendor": {
"name": "Red Hat",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2022-50229",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50229"
},
{
"name": "CVE-2025-39757",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39757"
},
{
"name": "CVE-2025-39761",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39761"
},
{
"name": "CVE-2025-38461",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38461"
},
{
"name": "CVE-2025-37810",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37810"
},
{
"name": "CVE-2025-38527",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38527"
},
{
"name": "CVE-2025-38449",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38449"
},
{
"name": "CVE-2025-39730",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-39730"
},
{
"name": "CVE-2023-53305",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53305"
},
{
"name": "CVE-2022-49969",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49969"
},
{
"name": "CVE-2025-38211",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38211"
},
{
"name": "CVE-2025-38614",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38614"
},
{
"name": "CVE-2025-37823",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37823"
},
{
"name": "CVE-2023-53186",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53186"
},
{
"name": "CVE-2023-53125",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53125"
},
{
"name": "CVE-2022-49985",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-49985"
},
{
"name": "CVE-2025-38556",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38556"
},
{
"name": "CVE-2025-38566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38566"
},
{
"name": "CVE-2025-38392",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38392"
},
{
"name": "CVE-2025-22097",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22097"
},
{
"name": "CVE-2025-37914",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37914"
},
{
"name": "CVE-2023-53373",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-53373"
},
{
"name": "CVE-2021-22555",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22555"
},
{
"name": "CVE-2022-50087",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50087"
},
{
"name": "CVE-2025-38498",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38498"
},
{
"name": "CVE-2025-38200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38200"
},
{
"name": "CVE-2022-50228",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-50228"
},
{
"name": "CVE-2025-38550",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-38550"
}
],
"initial_release_date": "2025-10-17T00:00:00",
"last_revision_date": "2025-10-17T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0893",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-10-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le noyau Linux de Red Hat. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans le noyau Linux de Red Hat",
"vendor_advisories": [
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:17735",
"url": "https://access.redhat.com/errata/RHSA-2025:17735"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:18054",
"url": "https://access.redhat.com/errata/RHSA-2025:18054"
},
{
"published_at": "2025-10-06",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:17397",
"url": "https://access.redhat.com/errata/RHSA-2025:17397"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:17797",
"url": "https://access.redhat.com/errata/RHSA-2025:17797"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:17734",
"url": "https://access.redhat.com/errata/RHSA-2025:17734"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:18043",
"url": "https://access.redhat.com/errata/RHSA-2025:18043"
},
{
"published_at": "2025-10-15",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:18098",
"url": "https://access.redhat.com/errata/RHSA-2025:18098"
},
{
"published_at": "2025-10-10",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:17733",
"url": "https://access.redhat.com/errata/RHSA-2025:17733"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:17776",
"url": "https://access.redhat.com/errata/RHSA-2025:17776"
},
{
"published_at": "2025-10-14",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:17958",
"url": "https://access.redhat.com/errata/RHSA-2025:17958"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:17812",
"url": "https://access.redhat.com/errata/RHSA-2025:17812"
},
{
"published_at": "2025-10-13",
"title": "Bulletin de s\u00e9curit\u00e9 Red Hat RHSA-2025:17760",
"url": "https://access.redhat.com/errata/RHSA-2025:17760"
}
]
}
CVE-2025-39761 (GCVE-0-2025-39761)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:52 – Updated: 2026-05-11 21:35
VLAI?
EPSS
Title
wifi: ath12k: Decrement TID on RX peer frag setup error handling
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath12k: Decrement TID on RX peer frag setup error handling
Currently, TID is not decremented before peer cleanup, during error
handling path of ath12k_dp_rx_peer_frag_setup(). This could lead to
out-of-bounds access in peer->rx_tid[].
Hence, add a decrement operation for TID, before peer cleanup to
ensures proper cleanup and prevents out-of-bounds access issues when
the RX peer frag setup fails.
Found during code review. Compile tested only.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < eb1e1526b82b8cf31f1ef9ca86a2647fb6cd89c6
(git)
Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 7c3e99fd4a66a5ac9c7dd32db07359666efe0002 (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < a3b73c72c42348bf1555fd2b00f32f941324b242 (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 9530d666f4376c294cdf4348c29fe3542fec980a (git) Affected: d889913205cf7ebda905b1e62c5867ed4e39f6c2 , < 7c0884fcd2ddde0544d2e77f297ae461e1f53f58 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb1e1526b82b8cf31f1ef9ca86a2647fb6cd89c6",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "7c3e99fd4a66a5ac9c7dd32db07359666efe0002",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "a3b73c72c42348bf1555fd2b00f32f941324b242",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "9530d666f4376c294cdf4348c29fe3542fec980a",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
},
{
"lessThan": "7c0884fcd2ddde0544d2e77f297ae461e1f53f58",
"status": "affected",
"version": "d889913205cf7ebda905b1e62c5867ed4e39f6c2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/wireless/ath/ath12k/dp.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.3"
},
{
"lessThan": "6.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "6.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: Decrement TID on RX peer frag setup error handling\n\nCurrently, TID is not decremented before peer cleanup, during error\nhandling path of ath12k_dp_rx_peer_frag_setup(). This could lead to\nout-of-bounds access in peer-\u003erx_tid[].\n\nHence, add a decrement operation for TID, before peer cleanup to\nensures proper cleanup and prevents out-of-bounds access issues when\nthe RX peer frag setup fails.\n\nFound during code review. Compile tested only."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:35:44.920Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb1e1526b82b8cf31f1ef9ca86a2647fb6cd89c6"
},
{
"url": "https://git.kernel.org/stable/c/7c3e99fd4a66a5ac9c7dd32db07359666efe0002"
},
{
"url": "https://git.kernel.org/stable/c/a3b73c72c42348bf1555fd2b00f32f941324b242"
},
{
"url": "https://git.kernel.org/stable/c/9530d666f4376c294cdf4348c29fe3542fec980a"
},
{
"url": "https://git.kernel.org/stable/c/7c0884fcd2ddde0544d2e77f297ae461e1f53f58"
}
],
"title": "wifi: ath12k: Decrement TID on RX peer frag setup error handling",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39761",
"datePublished": "2025-09-11T16:52:29.788Z",
"dateReserved": "2025-04-16T07:20:57.126Z",
"dateUpdated": "2026-05-11T21:35:44.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50229 (GCVE-0-2022-50229)
Vulnerability from cvelistv5 – Published: 2025-06-18 11:04 – Updated: 2026-05-11 19:15
VLAI?
EPSS
Title
ALSA: bcd2000: Fix a UAF bug on the error path of probing
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: bcd2000: Fix a UAF bug on the error path of probing
When the driver fails in snd_card_register() at probe time, it will free
the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug.
The following log can reveal it:
[ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
[ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0
[ 50.729530] Call Trace:
[ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]
Fix this by adding usb_kill_urb() before usb_free_urb().
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b47a22290d581277be70e8a597824a4985d39e83 , < a718eba7e458e2f40531be3c6b6a0028ca7fcace
(git)
Affected: b47a22290d581277be70e8a597824a4985d39e83 , < 4fc41f7ebb7efca282f1740ea934d16f33c1d109 (git) Affected: b47a22290d581277be70e8a597824a4985d39e83 , < 5e7338f4dd92b2f8915a82abfa1dd3ad3464bea0 (git) Affected: b47a22290d581277be70e8a597824a4985d39e83 , < 05e0bb8c3c4dde3e21b9c1cf9395afb04e8b24db (git) Affected: b47a22290d581277be70e8a597824a4985d39e83 , < 348620464a5c127399ac09b266f494f393661952 (git) Affected: b47a22290d581277be70e8a597824a4985d39e83 , < 64ca7f50ad96c2c65ae390b954925a36eabe04aa (git) Affected: b47a22290d581277be70e8a597824a4985d39e83 , < 1d6a246cf97c380f2da76591f03019dd9c9599c3 (git) Affected: b47a22290d581277be70e8a597824a4985d39e83 , < b0d4af0a4763ddc02344789ef2a281c494bc330d (git) Affected: b47a22290d581277be70e8a597824a4985d39e83 , < ffb2759df7efbc00187bfd9d1072434a13a54139 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/bcd2000/bcd2000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "a718eba7e458e2f40531be3c6b6a0028ca7fcace",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "4fc41f7ebb7efca282f1740ea934d16f33c1d109",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "5e7338f4dd92b2f8915a82abfa1dd3ad3464bea0",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "05e0bb8c3c4dde3e21b9c1cf9395afb04e8b24db",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "348620464a5c127399ac09b266f494f393661952",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "64ca7f50ad96c2c65ae390b954925a36eabe04aa",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "1d6a246cf97c380f2da76591f03019dd9c9599c3",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "b0d4af0a4763ddc02344789ef2a281c494bc330d",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
},
{
"lessThan": "ffb2759df7efbc00187bfd9d1072434a13a54139",
"status": "affected",
"version": "b47a22290d581277be70e8a597824a4985d39e83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/bcd2000/bcd2000.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.16"
},
{
"lessThan": "3.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.326",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.291",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "3.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "3.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: bcd2000: Fix a UAF bug on the error path of probing\n\nWhen the driver fails in snd_card_register() at probe time, it will free\nthe \u0027bcd2k-\u003emidi_out_urb\u0027 before killing it, which may cause a UAF bug.\n\nThe following log can reveal it:\n\n[ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]\n[ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0\n[ 50.729530] Call Trace:\n[ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000]\n\nFix this by adding usb_kill_urb() before usb_free_urb()."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:15:18.488Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/a718eba7e458e2f40531be3c6b6a0028ca7fcace"
},
{
"url": "https://git.kernel.org/stable/c/4fc41f7ebb7efca282f1740ea934d16f33c1d109"
},
{
"url": "https://git.kernel.org/stable/c/5e7338f4dd92b2f8915a82abfa1dd3ad3464bea0"
},
{
"url": "https://git.kernel.org/stable/c/05e0bb8c3c4dde3e21b9c1cf9395afb04e8b24db"
},
{
"url": "https://git.kernel.org/stable/c/348620464a5c127399ac09b266f494f393661952"
},
{
"url": "https://git.kernel.org/stable/c/64ca7f50ad96c2c65ae390b954925a36eabe04aa"
},
{
"url": "https://git.kernel.org/stable/c/1d6a246cf97c380f2da76591f03019dd9c9599c3"
},
{
"url": "https://git.kernel.org/stable/c/b0d4af0a4763ddc02344789ef2a281c494bc330d"
},
{
"url": "https://git.kernel.org/stable/c/ffb2759df7efbc00187bfd9d1072434a13a54139"
}
],
"title": "ALSA: bcd2000: Fix a UAF bug on the error path of probing",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50229",
"datePublished": "2025-06-18T11:04:06.069Z",
"dateReserved": "2025-06-18T10:57:27.432Z",
"dateUpdated": "2026-05-11T19:15:18.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38614 (GCVE-0-2025-38614)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:03 – Updated: 2026-05-23 16:00
VLAI?
EPSS
Title
eventpoll: Fix semi-unbounded recursion
Summary
In the Linux kernel, the following vulnerability has been resolved:
eventpoll: Fix semi-unbounded recursion
Ensure that epoll instances can never form a graph deeper than
EP_MAX_NESTS+1 links.
Currently, ep_loop_check_proc() ensures that the graph is loop-free and
does some recursion depth checks, but those recursion depth checks don't
limit the depth of the resulting tree for two reasons:
- They don't look upwards in the tree.
- If there are multiple downwards paths of different lengths, only one of
the paths is actually considered for the depth check since commit
28d82dc1c4ed ("epoll: limit paths").
Essentially, the current recursion depth check in ep_loop_check_proc() just
serves to prevent it from recursing too deeply while checking for loops.
A more thorough check is done in reverse_path_check() after the new graph
edge has already been created; this checks, among other things, that no
paths going upwards from any non-epoll file with a length of more than 5
edges exist. However, this check does not apply to non-epoll files.
As a result, it is possible to recurse to a depth of at least roughly 500,
tested on v6.15. (I am unsure if deeper recursion is possible; and this may
have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion
problem").)
To fix it:
1. In ep_loop_check_proc(), note the subtree depth of each visited node,
and use subtree depths for the total depth calculation even when a subtree
has already been visited.
2. Add ep_get_upwards_depth_proc() for similarly determining the maximum
depth of an upwards walk.
3. In ep_loop_check(), use these values to limit the total path length
between epoll nodes to EP_MAX_NESTS edges.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < 71379495ab70eaba19224bd71b5b9b399eb85e04
(git)
Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < 1b13b033062824495554e836a1ff5f85ccf6b039 (git) Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < 2a0c0c974bea9619c6f41794775ae4b97530e0e6 (git) Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < 7a2125962c42d5336ca0495a9ce4cb38a63e9161 (git) Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < ea5f97dbdcb1651581a22bd10afd2f0dd9dc11d6 (git) Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < 3542c90797bc3ab83ebab54b737d751cf3682036 (git) Affected: 22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e , < f2e467a48287c868818085aa35389a224d226732 (git) Affected: 8216e1a0d47cae06a75c42346f19dffe14e42d57 (git) Affected: 28a92748aa4bc57d35e7b079498b0ac2e7610a37 (git) Affected: 7eebcd4792c5a341559aed327b6afecbb1c46402 (git) Affected: 0eccd188cfeaf857a26f2d72941d27d298cf6a54 (git) Affected: a72affdbb09f3f24f64ffcbbdf62c2e57c58f379 (git) Affected: 2.6.32.30 , < 2.6.33 (semver) Affected: 2.6.33.8 , < 2.6.34 (semver) Affected: 2.6.34.10 , < 2.6.35 (semver) Affected: 2.6.35.12 , < 2.6.36 (semver) Affected: 2.6.37.3 , < 2.6.38 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:26.593Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC CN 4100",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:05:15.482Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/eventpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "71379495ab70eaba19224bd71b5b9b399eb85e04",
"status": "affected",
"version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
"versionType": "git"
},
{
"lessThan": "1b13b033062824495554e836a1ff5f85ccf6b039",
"status": "affected",
"version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
"versionType": "git"
},
{
"lessThan": "2a0c0c974bea9619c6f41794775ae4b97530e0e6",
"status": "affected",
"version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
"versionType": "git"
},
{
"lessThan": "7a2125962c42d5336ca0495a9ce4cb38a63e9161",
"status": "affected",
"version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
"versionType": "git"
},
{
"lessThan": "ea5f97dbdcb1651581a22bd10afd2f0dd9dc11d6",
"status": "affected",
"version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
"versionType": "git"
},
{
"lessThan": "3542c90797bc3ab83ebab54b737d751cf3682036",
"status": "affected",
"version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
"versionType": "git"
},
{
"lessThan": "f2e467a48287c868818085aa35389a224d226732",
"status": "affected",
"version": "22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e",
"versionType": "git"
},
{
"status": "affected",
"version": "8216e1a0d47cae06a75c42346f19dffe14e42d57",
"versionType": "git"
},
{
"status": "affected",
"version": "28a92748aa4bc57d35e7b079498b0ac2e7610a37",
"versionType": "git"
},
{
"status": "affected",
"version": "7eebcd4792c5a341559aed327b6afecbb1c46402",
"versionType": "git"
},
{
"status": "affected",
"version": "0eccd188cfeaf857a26f2d72941d27d298cf6a54",
"versionType": "git"
},
{
"status": "affected",
"version": "a72affdbb09f3f24f64ffcbbdf62c2e57c58f379",
"versionType": "git"
},
{
"lessThan": "2.6.33",
"status": "affected",
"version": "2.6.32.30",
"versionType": "semver"
},
{
"lessThan": "2.6.34",
"status": "affected",
"version": "2.6.33.8",
"versionType": "semver"
},
{
"lessThan": "2.6.35",
"status": "affected",
"version": "2.6.34.10",
"versionType": "semver"
},
{
"lessThan": "2.6.36",
"status": "affected",
"version": "2.6.35.12",
"versionType": "semver"
},
{
"lessThan": "2.6.38",
"status": "affected",
"version": "2.6.37.3",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/eventpoll.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.38"
},
{
"lessThan": "2.6.38",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.33.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.34.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.35.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.37.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\neventpoll: Fix semi-unbounded recursion\n\nEnsure that epoll instances can never form a graph deeper than\nEP_MAX_NESTS+1 links.\n\nCurrently, ep_loop_check_proc() ensures that the graph is loop-free and\ndoes some recursion depth checks, but those recursion depth checks don\u0027t\nlimit the depth of the resulting tree for two reasons:\n\n - They don\u0027t look upwards in the tree.\n - If there are multiple downwards paths of different lengths, only one of\n the paths is actually considered for the depth check since commit\n 28d82dc1c4ed (\"epoll: limit paths\").\n\nEssentially, the current recursion depth check in ep_loop_check_proc() just\nserves to prevent it from recursing too deeply while checking for loops.\n\nA more thorough check is done in reverse_path_check() after the new graph\nedge has already been created; this checks, among other things, that no\npaths going upwards from any non-epoll file with a length of more than 5\nedges exist. However, this check does not apply to non-epoll files.\n\nAs a result, it is possible to recurse to a depth of at least roughly 500,\ntested on v6.15. (I am unsure if deeper recursion is possible; and this may\nhave changed with commit 8c44dac8add7 (\"eventpoll: Fix priority inversion\nproblem\").)\n\nTo fix it:\n\n1. In ep_loop_check_proc(), note the subtree depth of each visited node,\nand use subtree depths for the total depth calculation even when a subtree\nhas already been visited.\n2. Add ep_get_upwards_depth_proc() for similarly determining the maximum\ndepth of an upwards walk.\n3. In ep_loop_check(), use these values to limit the total path length\nbetween epoll nodes to EP_MAX_NESTS edges."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:00:12.116Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/71379495ab70eaba19224bd71b5b9b399eb85e04"
},
{
"url": "https://git.kernel.org/stable/c/1b13b033062824495554e836a1ff5f85ccf6b039"
},
{
"url": "https://git.kernel.org/stable/c/2a0c0c974bea9619c6f41794775ae4b97530e0e6"
},
{
"url": "https://git.kernel.org/stable/c/7a2125962c42d5336ca0495a9ce4cb38a63e9161"
},
{
"url": "https://git.kernel.org/stable/c/ea5f97dbdcb1651581a22bd10afd2f0dd9dc11d6"
},
{
"url": "https://git.kernel.org/stable/c/3542c90797bc3ab83ebab54b737d751cf3682036"
},
{
"url": "https://git.kernel.org/stable/c/f2e467a48287c868818085aa35389a224d226732"
}
],
"title": "eventpoll: Fix semi-unbounded recursion",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38614",
"datePublished": "2025-08-19T17:03:56.348Z",
"dateReserved": "2025-04-16T04:51:24.029Z",
"dateUpdated": "2026-05-23T16:00:12.116Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38211 (GCVE-0-2025-38211)
Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last
deref") simplified cm_id resource management by freeing cm_id once all
references to the cm_id were removed. The references are removed either
upon completion of iw_cm event handlers or when the application destroys
the cm_id. This commit introduced the use-after-free condition where
cm_id_private object could still be in use by event handler works during
the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a
use-after-free related to destroying CM IDs") addressed this use-after-
free by flushing all pending works at the cm_id destruction.
However, still another use-after-free possibility remained. It happens
with the work objects allocated for each cm_id_priv within
alloc_work_entries() during cm_id creation, and subsequently freed in
dealloc_work_entries() once all references to the cm_id are removed.
If the cm_id's last reference is decremented in the event handler work,
the work object for the work itself gets removed, and causes the use-
after-free BUG below:
BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250
Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091
CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014
Workqueue: 0x0 (iw_cm_wq)
Call Trace:
<TASK>
dump_stack_lvl+0x6a/0x90
print_report+0x174/0x554
? __virt_addr_valid+0x208/0x430
? __pwq_activate_work+0x1ff/0x250
kasan_report+0xae/0x170
? __pwq_activate_work+0x1ff/0x250
__pwq_activate_work+0x1ff/0x250
pwq_dec_nr_in_flight+0x8c5/0xfb0
process_one_work+0xc11/0x1460
? __pfx_process_one_work+0x10/0x10
? assign_work+0x16c/0x240
worker_thread+0x5ef/0xfd0
? __pfx_worker_thread+0x10/0x10
kthread+0x3b0/0x770
? __pfx_kthread+0x10/0x10
? rcu_is_watching+0x11/0xb0
? _raw_spin_unlock_irq+0x24/0x50
? rcu_is_watching+0x11/0xb0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x30/0x70
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 147416:
kasan_save_stack+0x2c/0x50
kasan_save_track+0x10/0x30
__kasan_kmalloc+0xa6/0xb0
alloc_work_entries+0xa9/0x260 [iw_cm]
iw_cm_connect+0x23/0x4a0 [iw_cm]
rdma_connect_locked+0xbfd/0x1920 [rdma_cm]
nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]
cma_cm_event_handler+0xae/0x320 [rdma_cm]
cma_work_handler+0x106/0x1b0 [rdma_cm]
process_one_work+0x84f/0x1460
worker_thread+0x5ef/0xfd0
kthread+0x3b0/0x770
ret_from_fork+0x30/0x70
ret_from_fork_asm+0x1a/0x30
Freed by task 147091:
kasan_save_stack+0x2c/0x50
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x60
__kasan_slab_free+0x4b/0x70
kfree+0x13a/0x4b0
dealloc_work_entries+0x125/0x1f0 [iw_cm]
iwcm_deref_id+0x6f/0xa0 [iw_cm]
cm_work_handler+0x136/0x1ba0 [iw_cm]
process_one_work+0x84f/0x1460
worker_thread+0x5ef/0xfd0
kthread+0x3b0/0x770
ret_from_fork+0x30/0x70
ret_from_fork_asm+0x1a/0x30
Last potentially related work creation:
kasan_save_stack+0x2c/0x50
kasan_record_aux_stack+0xa3/0xb0
__queue_work+0x2ff/0x1390
queue_work_on+0x67/0xc0
cm_event_handler+0x46a/0x820 [iw_cm]
siw_cm_upcall+0x330/0x650 [siw]
siw_cm_work_handler+0x6b9/0x2b20 [siw]
process_one_work+0x84f/0x1460
worker_thread+0x5ef/0xfd0
kthread+0x3b0/0x770
ret_from_fork+0x30/0x70
ret_from_fork_asm+0x1a/0x30
This BUG is reproducible by repeating the blktests test case nvme/061
for the rdma transport and the siw driver.
To avoid the use-after-free of cm_id_private work objects, ensure that
the last reference to the cm_id is decremented not in the event handler
works, but in the cm_id destruction context. For that purpose, mo
---truncated---
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 013dcdf6f03bcedbaf1669e3db71c34a197715b2
(git)
Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5 (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 3b4a50d733acad6831f6bd9288a76a80f70650ac (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 78381dc8a6b61c9bb9987d37b4d671b99767c4a1 (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 23a707bbcbea468eedb398832eeb7e8e0ceafd21 (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 764c9f69beabef8bdc651a7746c59f7a340d104f (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < fd960b5ddf4faf00da43babdd3acda68842e1f6a (git) Affected: 59c68ac31e15ad09d2cb04734e3c8c544a95f8d4 , < 6883b680e703c6b2efddb4e7a8d891ce1803d06b (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:35:29.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-38211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:18.332991Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:10.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/iwcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "013dcdf6f03bcedbaf1669e3db71c34a197715b2",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "3b4a50d733acad6831f6bd9288a76a80f70650ac",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "78381dc8a6b61c9bb9987d37b4d671b99767c4a1",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "23a707bbcbea468eedb398832eeb7e8e0ceafd21",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "764c9f69beabef8bdc651a7746c59f7a340d104f",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "fd960b5ddf4faf00da43babdd3acda68842e1f6a",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
},
{
"lessThan": "6883b680e703c6b2efddb4e7a8d891ce1803d06b",
"status": "affected",
"version": "59c68ac31e15ad09d2cb04734e3c8c544a95f8d4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/infiniband/core/iwcm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.8"
},
{
"lessThan": "4.8",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.296",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.296",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "4.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n\nThe commit 59c68ac31e15 (\"iw_cm: free cm_id resources on the last\nderef\") simplified cm_id resource management by freeing cm_id once all\nreferences to the cm_id were removed. The references are removed either\nupon completion of iw_cm event handlers or when the application destroys\nthe cm_id. This commit introduced the use-after-free condition where\ncm_id_private object could still be in use by event handler works during\nthe destruction of cm_id. The commit aee2424246f9 (\"RDMA/iwcm: Fix a\nuse-after-free related to destroying CM IDs\") addressed this use-after-\nfree by flushing all pending works at the cm_id destruction.\n\nHowever, still another use-after-free possibility remained. It happens\nwith the work objects allocated for each cm_id_priv within\nalloc_work_entries() during cm_id creation, and subsequently freed in\ndealloc_work_entries() once all references to the cm_id are removed.\nIf the cm_id\u0027s last reference is decremented in the event handler work,\nthe work object for the work itself gets removed, and causes the use-\nafter-free BUG below:\n\n BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250\n Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091\n\n CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary)\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014\n Workqueue: 0x0 (iw_cm_wq)\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6a/0x90\n print_report+0x174/0x554\n ? __virt_addr_valid+0x208/0x430\n ? __pwq_activate_work+0x1ff/0x250\n kasan_report+0xae/0x170\n ? __pwq_activate_work+0x1ff/0x250\n __pwq_activate_work+0x1ff/0x250\n pwq_dec_nr_in_flight+0x8c5/0xfb0\n process_one_work+0xc11/0x1460\n ? __pfx_process_one_work+0x10/0x10\n ? assign_work+0x16c/0x240\n worker_thread+0x5ef/0xfd0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x3b0/0x770\n ? __pfx_kthread+0x10/0x10\n ? rcu_is_watching+0x11/0xb0\n ? _raw_spin_unlock_irq+0x24/0x50\n ? rcu_is_watching+0x11/0xb0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x30/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\n Allocated by task 147416:\n kasan_save_stack+0x2c/0x50\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0xa6/0xb0\n alloc_work_entries+0xa9/0x260 [iw_cm]\n iw_cm_connect+0x23/0x4a0 [iw_cm]\n rdma_connect_locked+0xbfd/0x1920 [rdma_cm]\n nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma]\n cma_cm_event_handler+0xae/0x320 [rdma_cm]\n cma_work_handler+0x106/0x1b0 [rdma_cm]\n process_one_work+0x84f/0x1460\n worker_thread+0x5ef/0xfd0\n kthread+0x3b0/0x770\n ret_from_fork+0x30/0x70\n ret_from_fork_asm+0x1a/0x30\n\n Freed by task 147091:\n kasan_save_stack+0x2c/0x50\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x37/0x60\n __kasan_slab_free+0x4b/0x70\n kfree+0x13a/0x4b0\n dealloc_work_entries+0x125/0x1f0 [iw_cm]\n iwcm_deref_id+0x6f/0xa0 [iw_cm]\n cm_work_handler+0x136/0x1ba0 [iw_cm]\n process_one_work+0x84f/0x1460\n worker_thread+0x5ef/0xfd0\n kthread+0x3b0/0x770\n ret_from_fork+0x30/0x70\n ret_from_fork_asm+0x1a/0x30\n\n Last potentially related work creation:\n kasan_save_stack+0x2c/0x50\n kasan_record_aux_stack+0xa3/0xb0\n __queue_work+0x2ff/0x1390\n queue_work_on+0x67/0xc0\n cm_event_handler+0x46a/0x820 [iw_cm]\n siw_cm_upcall+0x330/0x650 [siw]\n siw_cm_work_handler+0x6b9/0x2b20 [siw]\n process_one_work+0x84f/0x1460\n worker_thread+0x5ef/0xfd0\n kthread+0x3b0/0x770\n ret_from_fork+0x30/0x70\n ret_from_fork_asm+0x1a/0x30\n\nThis BUG is reproducible by repeating the blktests test case nvme/061\nfor the rdma transport and the siw driver.\n\nTo avoid the use-after-free of cm_id_private work objects, ensure that\nthe last reference to the cm_id is decremented not in the event handler\nworks, but in the cm_id destruction context. For that purpose, mo\n---truncated---"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:23:24.277Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/013dcdf6f03bcedbaf1669e3db71c34a197715b2"
},
{
"url": "https://git.kernel.org/stable/c/bf7eff5e3a36c54bbe8aff7fd6dd7c07490b81c5"
},
{
"url": "https://git.kernel.org/stable/c/3b4a50d733acad6831f6bd9288a76a80f70650ac"
},
{
"url": "https://git.kernel.org/stable/c/78381dc8a6b61c9bb9987d37b4d671b99767c4a1"
},
{
"url": "https://git.kernel.org/stable/c/23a707bbcbea468eedb398832eeb7e8e0ceafd21"
},
{
"url": "https://git.kernel.org/stable/c/764c9f69beabef8bdc651a7746c59f7a340d104f"
},
{
"url": "https://git.kernel.org/stable/c/fd960b5ddf4faf00da43babdd3acda68842e1f6a"
},
{
"url": "https://git.kernel.org/stable/c/6883b680e703c6b2efddb4e7a8d891ce1803d06b"
}
],
"title": "RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38211",
"datePublished": "2025-07-04T13:37:30.307Z",
"dateReserved": "2025-04-16T04:51:23.994Z",
"dateUpdated": "2026-06-11T18:44:10.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53373 (GCVE-0-2023-53373)
Vulnerability from cvelistv5 – Published: 2025-09-18 13:33 – Updated: 2026-05-11 19:43
VLAI?
EPSS
Title
crypto: seqiv - Handle EBUSY correctly
Summary
In the Linux kernel, the following vulnerability has been resolved:
crypto: seqiv - Handle EBUSY correctly
As it is seqiv only handles the special return value of EINPROGERSS,
which means that in all other cases it will free data related to the
request.
However, as the caller of seqiv may specify MAY_BACKLOG, we also need
to expect EBUSY and treat it in the same way. Otherwise backlogged
requests will trigger a use-after-free.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < cc4d0d4251748a8a68026938f4055d2ac47c5719
(git)
Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 1effbddaff60eeef8017c6dea1ee0ed970164d14 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 63551e4b7cbcd9914258827699eb2cb6ed6e4a16 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < ae849d2f48019ff9c104e32bf588ccbfb200e971 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 36ec108b7bd7e280edb22de028467bd09d644620 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 4d497e8b200a175094e0ac252ed878add39b8771 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 9477db935eb690f697d9bcc4f608927841bc8b36 (git) Affected: 0a270321dbf948963aeb0e8382fe17d2c2eb3771 , < 32e62025e5e52fbe4812ef044759de7010b15dbc (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:54:09.278191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T19:03:03.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"crypto/seqiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cc4d0d4251748a8a68026938f4055d2ac47c5719",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "1effbddaff60eeef8017c6dea1ee0ed970164d14",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "63551e4b7cbcd9914258827699eb2cb6ed6e4a16",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "ae849d2f48019ff9c104e32bf588ccbfb200e971",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "36ec108b7bd7e280edb22de028467bd09d644620",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "4d497e8b200a175094e0ac252ed878add39b8771",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "9477db935eb690f697d9bcc4f608927841bc8b36",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
},
{
"lessThan": "32e62025e5e52fbe4812ef044759de7010b15dbc",
"status": "affected",
"version": "0a270321dbf948963aeb0e8382fe17d2c2eb3771",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"crypto/seqiv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.25"
},
{
"lessThan": "2.6.25",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.308",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.276",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.235",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.173",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.16",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.308",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.276",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.235",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.173",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.99",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.16",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.3",
"versionStartIncluding": "2.6.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: seqiv - Handle EBUSY correctly\n\nAs it is seqiv only handles the special return value of EINPROGERSS,\nwhich means that in all other cases it will free data related to the\nrequest.\n\nHowever, as the caller of seqiv may specify MAY_BACKLOG, we also need\nto expect EBUSY and treat it in the same way. Otherwise backlogged\nrequests will trigger a use-after-free."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:43:41.770Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cc4d0d4251748a8a68026938f4055d2ac47c5719"
},
{
"url": "https://git.kernel.org/stable/c/1effbddaff60eeef8017c6dea1ee0ed970164d14"
},
{
"url": "https://git.kernel.org/stable/c/63551e4b7cbcd9914258827699eb2cb6ed6e4a16"
},
{
"url": "https://git.kernel.org/stable/c/ae849d2f48019ff9c104e32bf588ccbfb200e971"
},
{
"url": "https://git.kernel.org/stable/c/36ec108b7bd7e280edb22de028467bd09d644620"
},
{
"url": "https://git.kernel.org/stable/c/4d497e8b200a175094e0ac252ed878add39b8771"
},
{
"url": "https://git.kernel.org/stable/c/9477db935eb690f697d9bcc4f608927841bc8b36"
},
{
"url": "https://git.kernel.org/stable/c/32e62025e5e52fbe4812ef044759de7010b15dbc"
}
],
"title": "crypto: seqiv - Handle EBUSY correctly",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53373",
"datePublished": "2025-09-18T13:33:20.264Z",
"dateReserved": "2025-09-17T14:54:09.734Z",
"dateUpdated": "2026-05-11T19:43:41.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53186 (GCVE-0-2023-53186)
Vulnerability from cvelistv5 – Published: 2025-09-15 14:04 – Updated: 2026-05-11 19:39
VLAI?
EPSS
Title
skbuff: Fix a race between coalescing and releasing SKBs
Summary
In the Linux kernel, the following vulnerability has been resolved:
skbuff: Fix a race between coalescing and releasing SKBs
Commit 1effe8ca4e34 ("skbuff: fix coalescing for page_pool fragment
recycling") allowed coalescing to proceed with non page pool page and page
pool page when @from is cloned, i.e.
to->pp_recycle --> false
from->pp_recycle --> true
skb_cloned(from) --> true
However, it actually requires skb_cloned(@from) to hold true until
coalescing finishes in this situation. If the other cloned SKB is
released while the merging is in process, from_shinfo->nr_frags will be
set to 0 toward the end of the function, causing the increment of frag
page _refcount to be unexpectedly skipped resulting in inconsistent
reference counts. Later when SKB(@to) is released, it frees the page
directly even though the page pool page is still in use, leading to
use-after-free or double-free errors. So it should be prohibited.
The double-free error message below prompted us to investigate:
BUG: Bad page state in process swapper/1 pfn:0e0d1
page:00000000c6548b28 refcount:-1 mapcount:0 mapping:0000000000000000
index:0x2 pfn:0xe0d1
flags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0000000 0000000000000000 ffffffff00000101 0000000000000000
raw: 0000000000000002 0000000000000000 ffffffffffffffff 0000000000000000
page dumped because: nonzero _refcount
CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 6.2.0+
Call Trace:
<IRQ>
dump_stack_lvl+0x32/0x50
bad_page+0x69/0xf0
free_pcp_prepare+0x260/0x2f0
free_unref_page+0x20/0x1c0
skb_release_data+0x10b/0x1a0
napi_consume_skb+0x56/0x150
net_rx_action+0xf0/0x350
? __napi_schedule+0x79/0x90
__do_softirq+0xc8/0x2b1
__irq_exit_rcu+0xb9/0xf0
common_interrupt+0x82/0xa0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
RIP: 0010:default_idle+0xb/0x20
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
53e0961da1c7bbdabd1abebb20de403ec237ec09 , < 906a6689bb0191ad2a44131a3377006aa098af59
(git)
Affected: 53e0961da1c7bbdabd1abebb20de403ec237ec09 , < 71850b5af92da21b4862a9bc55bda61091247d00 (git) Affected: 53e0961da1c7bbdabd1abebb20de403ec237ec09 , < 5f692c992a3bb9a8018e3488098b401a4229e7ec (git) Affected: 53e0961da1c7bbdabd1abebb20de403ec237ec09 , < 0646dc31ca886693274df5749cd0c8c1eaaeb5ca (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "906a6689bb0191ad2a44131a3377006aa098af59",
"status": "affected",
"version": "53e0961da1c7bbdabd1abebb20de403ec237ec09",
"versionType": "git"
},
{
"lessThan": "71850b5af92da21b4862a9bc55bda61091247d00",
"status": "affected",
"version": "53e0961da1c7bbdabd1abebb20de403ec237ec09",
"versionType": "git"
},
{
"lessThan": "5f692c992a3bb9a8018e3488098b401a4229e7ec",
"status": "affected",
"version": "53e0961da1c7bbdabd1abebb20de403ec237ec09",
"versionType": "git"
},
{
"lessThan": "0646dc31ca886693274df5749cd0c8c1eaaeb5ca",
"status": "affected",
"version": "53e0961da1c7bbdabd1abebb20de403ec237ec09",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.15"
},
{
"lessThan": "5.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.108",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.25",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.108",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.25",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.12",
"versionStartIncluding": "5.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nskbuff: Fix a race between coalescing and releasing SKBs\n\nCommit 1effe8ca4e34 (\"skbuff: fix coalescing for page_pool fragment\nrecycling\") allowed coalescing to proceed with non page pool page and page\npool page when @from is cloned, i.e.\n\nto-\u003epp_recycle --\u003e false\nfrom-\u003epp_recycle --\u003e true\nskb_cloned(from) --\u003e true\n\nHowever, it actually requires skb_cloned(@from) to hold true until\ncoalescing finishes in this situation. If the other cloned SKB is\nreleased while the merging is in process, from_shinfo-\u003enr_frags will be\nset to 0 toward the end of the function, causing the increment of frag\npage _refcount to be unexpectedly skipped resulting in inconsistent\nreference counts. Later when SKB(@to) is released, it frees the page\ndirectly even though the page pool page is still in use, leading to\nuse-after-free or double-free errors. So it should be prohibited.\n\nThe double-free error message below prompted us to investigate:\nBUG: Bad page state in process swapper/1 pfn:0e0d1\npage:00000000c6548b28 refcount:-1 mapcount:0 mapping:0000000000000000\nindex:0x2 pfn:0xe0d1\nflags: 0xfffffc0000000(node=0|zone=1|lastcpupid=0x1fffff)\nraw: 000fffffc0000000 0000000000000000 ffffffff00000101 0000000000000000\nraw: 0000000000000002 0000000000000000 ffffffffffffffff 0000000000000000\npage dumped because: nonzero _refcount\n\nCPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 6.2.0+\nCall Trace:\n \u003cIRQ\u003e\ndump_stack_lvl+0x32/0x50\nbad_page+0x69/0xf0\nfree_pcp_prepare+0x260/0x2f0\nfree_unref_page+0x20/0x1c0\nskb_release_data+0x10b/0x1a0\nnapi_consume_skb+0x56/0x150\nnet_rx_action+0xf0/0x350\n? __napi_schedule+0x79/0x90\n__do_softirq+0xc8/0x2b1\n__irq_exit_rcu+0xb9/0xf0\ncommon_interrupt+0x82/0xa0\n\u003c/IRQ\u003e\n\u003cTASK\u003e\nasm_common_interrupt+0x22/0x40\nRIP: 0010:default_idle+0xb/0x20"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:39:54.769Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/906a6689bb0191ad2a44131a3377006aa098af59"
},
{
"url": "https://git.kernel.org/stable/c/71850b5af92da21b4862a9bc55bda61091247d00"
},
{
"url": "https://git.kernel.org/stable/c/5f692c992a3bb9a8018e3488098b401a4229e7ec"
},
{
"url": "https://git.kernel.org/stable/c/0646dc31ca886693274df5749cd0c8c1eaaeb5ca"
}
],
"title": "skbuff: Fix a race between coalescing and releasing SKBs",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53186",
"datePublished": "2025-09-15T14:04:38.954Z",
"dateReserved": "2025-09-15T13:59:19.066Z",
"dateUpdated": "2026-05-11T19:39:54.769Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38556 (GCVE-0-2025-38556)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
HID: core: Harden s32ton() against conversion to 0 bits
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: core: Harden s32ton() against conversion to 0 bits
Testing by the syzbot fuzzer showed that the HID core gets a
shift-out-of-bounds exception when it tries to convert a 32-bit
quantity to a 0-bit quantity. Ideally this should never occur, but
there are buggy devices and some might have a report field with size
set to zero; we shouldn't reject the report or the device just because
of that.
Instead, harden the s32ton() routine so that it returns a reasonable
result instead of crashing when it is called with the number of bits
set to 0 -- the same as what snto32() does.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dde5845a529ff753364a6d1aea61180946270bfa , < 6cdf6c708717c5c6897d0800a1793e83757c7491
(git)
Affected: dde5845a529ff753364a6d1aea61180946270bfa , < eeeaba737919bdce9885e2a00ac2912f61a3684d (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 3c86548a20d7bc2861aa4de044991a327bebad1a (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 810189546cb6c8f36443ed091d91f1f5d2fc2ec7 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < d3b504146c111548ab60b6ef7aad00bfb1db05a2 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 8b4a94b1510f6a46ec48494b52ee8f67eb4fc836 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < 865ad8469fa24de1559f247d9426ab01e5ce3a56 (git) Affected: dde5845a529ff753364a6d1aea61180946270bfa , < a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-38556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:53.944834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:17.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6cdf6c708717c5c6897d0800a1793e83757c7491",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "eeeaba737919bdce9885e2a00ac2912f61a3684d",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "3c86548a20d7bc2861aa4de044991a327bebad1a",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "810189546cb6c8f36443ed091d91f1f5d2fc2ec7",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "d3b504146c111548ab60b6ef7aad00bfb1db05a2",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "8b4a94b1510f6a46ec48494b52ee8f67eb4fc836",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "865ad8469fa24de1559f247d9426ab01e5ce3a56",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
},
{
"lessThan": "a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd",
"status": "affected",
"version": "dde5845a529ff753364a6d1aea61180946270bfa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/hid-core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.20"
},
{
"lessThan": "2.6.20",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.248",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.198",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.159",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.119",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.46",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.248",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.198",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.159",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.119",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.46",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "2.6.20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "2.6.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Harden s32ton() against conversion to 0 bits\n\nTesting by the syzbot fuzzer showed that the HID core gets a\nshift-out-of-bounds exception when it tries to convert a 32-bit\nquantity to a 0-bit quantity. Ideally this should never occur, but\nthere are buggy devices and some might have a report field with size\nset to zero; we shouldn\u0027t reject the report or the device just because\nof that.\n\nInstead, harden the s32ton() routine so that it returns a reasonable\nresult instead of crashing when it is called with the number of bits\nset to 0 -- the same as what snto32() does."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:30:22.814Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6cdf6c708717c5c6897d0800a1793e83757c7491"
},
{
"url": "https://git.kernel.org/stable/c/eeeaba737919bdce9885e2a00ac2912f61a3684d"
},
{
"url": "https://git.kernel.org/stable/c/3c86548a20d7bc2861aa4de044991a327bebad1a"
},
{
"url": "https://git.kernel.org/stable/c/810189546cb6c8f36443ed091d91f1f5d2fc2ec7"
},
{
"url": "https://git.kernel.org/stable/c/d3b504146c111548ab60b6ef7aad00bfb1db05a2"
},
{
"url": "https://git.kernel.org/stable/c/8b4a94b1510f6a46ec48494b52ee8f67eb4fc836"
},
{
"url": "https://git.kernel.org/stable/c/865ad8469fa24de1559f247d9426ab01e5ce3a56"
},
{
"url": "https://git.kernel.org/stable/c/a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd"
}
],
"title": "HID: core: Harden s32ton() against conversion to 0 bits",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38556",
"datePublished": "2025-08-19T17:02:34.929Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2026-06-11T18:44:17.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49985 (GCVE-0-2022-49985)
Vulnerability from cvelistv5 – Published: 2025-06-18 11:00 – Updated: 2026-05-11 19:10
VLAI?
EPSS
Title
bpf: Don't use tnum_range on array range checking for poke descriptors
Summary
In the Linux kernel, the following vulnerability has been resolved:
bpf: Don't use tnum_range on array range checking for poke descriptors
Hsin-Wei reported a KASAN splat triggered by their BPF runtime fuzzer which
is based on a customized syzkaller:
BUG: KASAN: slab-out-of-bounds in bpf_int_jit_compile+0x1257/0x13f0
Read of size 8 at addr ffff888004e90b58 by task syz-executor.0/1489
CPU: 1 PID: 1489 Comm: syz-executor.0 Not tainted 5.19.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x9c/0xc9
print_address_description.constprop.0+0x1f/0x1f0
? bpf_int_jit_compile+0x1257/0x13f0
kasan_report.cold+0xeb/0x197
? kvmalloc_node+0x170/0x200
? bpf_int_jit_compile+0x1257/0x13f0
bpf_int_jit_compile+0x1257/0x13f0
? arch_prepare_bpf_dispatcher+0xd0/0xd0
? rcu_read_lock_sched_held+0x43/0x70
bpf_prog_select_runtime+0x3e8/0x640
? bpf_obj_name_cpy+0x149/0x1b0
bpf_prog_load+0x102f/0x2220
? __bpf_prog_put.constprop.0+0x220/0x220
? find_held_lock+0x2c/0x110
? __might_fault+0xd6/0x180
? lock_downgrade+0x6e0/0x6e0
? lock_is_held_type+0xa6/0x120
? __might_fault+0x147/0x180
__sys_bpf+0x137b/0x6070
? bpf_perf_link_attach+0x530/0x530
? new_sync_read+0x600/0x600
? __fget_files+0x255/0x450
? lock_downgrade+0x6e0/0x6e0
? fput+0x30/0x1a0
? ksys_write+0x1a8/0x260
__x64_sys_bpf+0x7a/0xc0
? syscall_enter_from_user_mode+0x21/0x70
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f917c4e2c2d
The problem here is that a range of tnum_range(0, map->max_entries - 1) has
limited ability to represent the concrete tight range with the tnum as the
set of resulting states from value + mask can result in a superset of the
actual intended range, and as such a tnum_in(range, reg->var_off) check may
yield true when it shouldn't, for example tnum_range(0, 2) would result in
00XX -> v = 0000, m = 0011 such that the intended set of {0, 1, 2} is here
represented by a less precise superset of {0, 1, 2, 3}. As the register is
known const scalar, really just use the concrete reg->var_off.value for the
upper index check.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
d2e4c1e6c2947269346054ac8937ccfe9e0bcc6b , < e8979807178434db8ceaa84dfcd44363e71e50bb
(git)
Affected: d2e4c1e6c2947269346054ac8937ccfe9e0bcc6b , < 4f672112f8665102a5842c170be1713f8ff95919 (git) Affected: d2e4c1e6c2947269346054ac8937ccfe9e0bcc6b , < a36df92c7ff7ecde2fb362241d0ab024dddd0597 (git) Affected: d2e4c1e6c2947269346054ac8937ccfe9e0bcc6b , < a657182a5c5150cdfacb6640aad1d2712571a409 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e8979807178434db8ceaa84dfcd44363e71e50bb",
"status": "affected",
"version": "d2e4c1e6c2947269346054ac8937ccfe9e0bcc6b",
"versionType": "git"
},
{
"lessThan": "4f672112f8665102a5842c170be1713f8ff95919",
"status": "affected",
"version": "d2e4c1e6c2947269346054ac8937ccfe9e0bcc6b",
"versionType": "git"
},
{
"lessThan": "a36df92c7ff7ecde2fb362241d0ab024dddd0597",
"status": "affected",
"version": "d2e4c1e6c2947269346054ac8937ccfe9e0bcc6b",
"versionType": "git"
},
{
"lessThan": "a657182a5c5150cdfacb6640aad1d2712571a409",
"status": "affected",
"version": "d2e4c1e6c2947269346054ac8937ccfe9e0bcc6b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"kernel/bpf/verifier.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.64",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.140",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.64",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.6",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Don\u0027t use tnum_range on array range checking for poke descriptors\n\nHsin-Wei reported a KASAN splat triggered by their BPF runtime fuzzer which\nis based on a customized syzkaller:\n\n BUG: KASAN: slab-out-of-bounds in bpf_int_jit_compile+0x1257/0x13f0\n Read of size 8 at addr ffff888004e90b58 by task syz-executor.0/1489\n CPU: 1 PID: 1489 Comm: syz-executor.0 Not tainted 5.19.0 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x9c/0xc9\n print_address_description.constprop.0+0x1f/0x1f0\n ? bpf_int_jit_compile+0x1257/0x13f0\n kasan_report.cold+0xeb/0x197\n ? kvmalloc_node+0x170/0x200\n ? bpf_int_jit_compile+0x1257/0x13f0\n bpf_int_jit_compile+0x1257/0x13f0\n ? arch_prepare_bpf_dispatcher+0xd0/0xd0\n ? rcu_read_lock_sched_held+0x43/0x70\n bpf_prog_select_runtime+0x3e8/0x640\n ? bpf_obj_name_cpy+0x149/0x1b0\n bpf_prog_load+0x102f/0x2220\n ? __bpf_prog_put.constprop.0+0x220/0x220\n ? find_held_lock+0x2c/0x110\n ? __might_fault+0xd6/0x180\n ? lock_downgrade+0x6e0/0x6e0\n ? lock_is_held_type+0xa6/0x120\n ? __might_fault+0x147/0x180\n __sys_bpf+0x137b/0x6070\n ? bpf_perf_link_attach+0x530/0x530\n ? new_sync_read+0x600/0x600\n ? __fget_files+0x255/0x450\n ? lock_downgrade+0x6e0/0x6e0\n ? fput+0x30/0x1a0\n ? ksys_write+0x1a8/0x260\n __x64_sys_bpf+0x7a/0xc0\n ? syscall_enter_from_user_mode+0x21/0x70\n do_syscall_64+0x3b/0x90\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n RIP: 0033:0x7f917c4e2c2d\n\nThe problem here is that a range of tnum_range(0, map-\u003emax_entries - 1) has\nlimited ability to represent the concrete tight range with the tnum as the\nset of resulting states from value + mask can result in a superset of the\nactual intended range, and as such a tnum_in(range, reg-\u003evar_off) check may\nyield true when it shouldn\u0027t, for example tnum_range(0, 2) would result in\n00XX -\u003e v = 0000, m = 0011 such that the intended set of {0, 1, 2} is here\nrepresented by a less precise superset of {0, 1, 2, 3}. As the register is\nknown const scalar, really just use the concrete reg-\u003evar_off.value for the\nupper index check."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:10:30.979Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e8979807178434db8ceaa84dfcd44363e71e50bb"
},
{
"url": "https://git.kernel.org/stable/c/4f672112f8665102a5842c170be1713f8ff95919"
},
{
"url": "https://git.kernel.org/stable/c/a36df92c7ff7ecde2fb362241d0ab024dddd0597"
},
{
"url": "https://git.kernel.org/stable/c/a657182a5c5150cdfacb6640aad1d2712571a409"
}
],
"title": "bpf: Don\u0027t use tnum_range on array range checking for poke descriptors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49985",
"datePublished": "2025-06-18T11:00:47.251Z",
"dateReserved": "2025-06-18T10:57:27.386Z",
"dateUpdated": "2026-05-11T19:10:30.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38527 (GCVE-0-2025-38527)
Vulnerability from cvelistv5 – Published: 2025-08-16 11:12 – Updated: 2026-05-23 15:59
VLAI?
EPSS
Title
smb: client: fix use-after-free in cifs_oplock_break
Summary
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix use-after-free in cifs_oplock_break
A race condition can occur in cifs_oplock_break() leading to a
use-after-free of the cinode structure when unmounting:
cifs_oplock_break()
_cifsFileInfo_put(cfile)
cifsFileInfo_put_final()
cifs_sb_deactive()
[last ref, start releasing sb]
kill_sb()
kill_anon_super()
generic_shutdown_super()
evict_inodes()
dispose_list()
evict()
destroy_inode()
call_rcu(&inode->i_rcu, i_callback)
spin_lock(&cinode->open_file_lock) <- OK
[later] i_callback()
cifs_free_inode()
kmem_cache_free(cinode)
spin_unlock(&cinode->open_file_lock) <- UAF
cifs_done_oplock_break(cinode) <- UAF
The issue occurs when umount has already released its reference to the
superblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this
releases the last reference, triggering the immediate cleanup of all
inodes under RCU. However, cifs_oplock_break() continues to access the
cinode after this point, resulting in use-after-free.
Fix this by holding an extra reference to the superblock during the
entire oplock break operation. This ensures that the superblock and
its inodes remain valid until the oplock break completes.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
b98749cac4a695f084a5ff076f4510b23e353ecd , < 4256a483fe58af66a46cbf3dc48ff26e580d3308
(git)
Affected: b98749cac4a695f084a5ff076f4510b23e353ecd , < 0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b (git) Affected: b98749cac4a695f084a5ff076f4510b23e353ecd , < 2baaf5bbab2ac474c4f92c10fcb3310f824db995 (git) Affected: b98749cac4a695f084a5ff076f4510b23e353ecd , < 09bce2138a30ef10d8821c8c3f73a4ab7a5726bc (git) Affected: b98749cac4a695f084a5ff076f4510b23e353ecd , < da11bd4b697b393a207f19a2ed7d382a811a3ddc (git) Affected: b98749cac4a695f084a5ff076f4510b23e353ecd , < 705c79101ccf9edea5a00d761491a03ced314210 (git) Affected: 2429fcf06d3cb962693868ab0a927c9038f12a2d (git) Affected: 1ee4f2d7cdcd4508cc3cbe3b2622d7177b89da12 (git) Affected: 53fc31a4853e30d6e8f142b824f724da27ff3e40 (git) Affected: 8092ecc306d81186a64cda42411121f4d35aaff4 (git) Affected: ebac4d0adf68f8962bd82fcf483936edd6ec095b (git) Affected: 3.16.72 , < 3.17 (semver) Affected: 4.9.171 , < 4.10 (semver) Affected: 4.14.114 , < 4.15 (semver) Affected: 4.19.37 , < 4.20 (semver) Affected: 5.0.10 , < 5.1 (semver) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:23.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/smb/client/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4256a483fe58af66a46cbf3dc48ff26e580d3308",
"status": "affected",
"version": "b98749cac4a695f084a5ff076f4510b23e353ecd",
"versionType": "git"
},
{
"lessThan": "0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b",
"status": "affected",
"version": "b98749cac4a695f084a5ff076f4510b23e353ecd",
"versionType": "git"
},
{
"lessThan": "2baaf5bbab2ac474c4f92c10fcb3310f824db995",
"status": "affected",
"version": "b98749cac4a695f084a5ff076f4510b23e353ecd",
"versionType": "git"
},
{
"lessThan": "09bce2138a30ef10d8821c8c3f73a4ab7a5726bc",
"status": "affected",
"version": "b98749cac4a695f084a5ff076f4510b23e353ecd",
"versionType": "git"
},
{
"lessThan": "da11bd4b697b393a207f19a2ed7d382a811a3ddc",
"status": "affected",
"version": "b98749cac4a695f084a5ff076f4510b23e353ecd",
"versionType": "git"
},
{
"lessThan": "705c79101ccf9edea5a00d761491a03ced314210",
"status": "affected",
"version": "b98749cac4a695f084a5ff076f4510b23e353ecd",
"versionType": "git"
},
{
"status": "affected",
"version": "2429fcf06d3cb962693868ab0a927c9038f12a2d",
"versionType": "git"
},
{
"status": "affected",
"version": "1ee4f2d7cdcd4508cc3cbe3b2622d7177b89da12",
"versionType": "git"
},
{
"status": "affected",
"version": "53fc31a4853e30d6e8f142b824f724da27ff3e40",
"versionType": "git"
},
{
"status": "affected",
"version": "8092ecc306d81186a64cda42411121f4d35aaff4",
"versionType": "git"
},
{
"status": "affected",
"version": "ebac4d0adf68f8962bd82fcf483936edd6ec095b",
"versionType": "git"
},
{
"lessThan": "3.17",
"status": "affected",
"version": "3.16.72",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.171",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.114",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.37",
"versionType": "semver"
},
{
"lessThan": "5.1",
"status": "affected",
"version": "5.0.10",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/smb/client/file.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.1"
},
{
"lessThan": "5.1",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.16.72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.114",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.0.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in cifs_oplock_break\n\nA race condition can occur in cifs_oplock_break() leading to a\nuse-after-free of the cinode structure when unmounting:\n\n cifs_oplock_break()\n _cifsFileInfo_put(cfile)\n cifsFileInfo_put_final()\n cifs_sb_deactive()\n [last ref, start releasing sb]\n kill_sb()\n kill_anon_super()\n generic_shutdown_super()\n evict_inodes()\n dispose_list()\n evict()\n destroy_inode()\n call_rcu(\u0026inode-\u003ei_rcu, i_callback)\n spin_lock(\u0026cinode-\u003eopen_file_lock) \u003c- OK\n [later] i_callback()\n cifs_free_inode()\n kmem_cache_free(cinode)\n spin_unlock(\u0026cinode-\u003eopen_file_lock) \u003c- UAF\n cifs_done_oplock_break(cinode) \u003c- UAF\n\nThe issue occurs when umount has already released its reference to the\nsuperblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this\nreleases the last reference, triggering the immediate cleanup of all\ninodes under RCU. However, cifs_oplock_break() continues to access the\ncinode after this point, resulting in use-after-free.\n\nFix this by holding an extra reference to the superblock during the\nentire oplock break operation. This ensures that the superblock and\nits inodes remain valid until the oplock break completes."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:59:58.193Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4256a483fe58af66a46cbf3dc48ff26e580d3308"
},
{
"url": "https://git.kernel.org/stable/c/0a4eec84d4d2c4085d4ed8630fd74e4b39033c1b"
},
{
"url": "https://git.kernel.org/stable/c/2baaf5bbab2ac474c4f92c10fcb3310f824db995"
},
{
"url": "https://git.kernel.org/stable/c/09bce2138a30ef10d8821c8c3f73a4ab7a5726bc"
},
{
"url": "https://git.kernel.org/stable/c/da11bd4b697b393a207f19a2ed7d382a811a3ddc"
},
{
"url": "https://git.kernel.org/stable/c/705c79101ccf9edea5a00d761491a03ced314210"
}
],
"title": "smb: client: fix use-after-free in cifs_oplock_break",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38527",
"datePublished": "2025-08-16T11:12:20.843Z",
"dateReserved": "2025-04-16T04:51:24.023Z",
"dateUpdated": "2026-05-23T15:59:58.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37914 (GCVE-0-2025-37914)
Vulnerability from cvelistv5 – Published: 2025-05-20 15:21 – Updated: 2026-05-11 21:17
VLAI?
EPSS
Title
net_sched: ets: Fix double list add in class with netem as child qdisc
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: ets: Fix double list add in class with netem as child qdisc
As described in Gerrard's report [1], there are use cases where a netem
child qdisc will make the parent qdisc's enqueue callback reentrant.
In the case of ets, there won't be a UAF, but the code will add the same
classifier to the list twice, which will cause memory corruption.
In addition to checking for qlen being zero, this patch checks whether
the class was already added to the active_list (cl_is_active) before
doing the addition to cater for the reentrant case.
[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 24388ba0a1b1b6d4af1b205927ac7f7b119ee4ea
(git)
Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 554acc5a2ea9703e08023eb9a003f9e5a830a502 (git) Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 9efb6a0fa88e0910d079fdfeb4f7ce4d4ac6c990 (git) Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 72c3da7e6ceb74e74ddbb5a305a35c9fdfcac6e3 (git) Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 1f01e9f961605eb397c6ecd1d7b0233dfbf9077c (git) Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < bc321f714de693aae06e3786f88df2975376d996 (git) Affected: dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33 , < 1a6d0c00fa07972384b0c308c72db091d49988b6 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:57:16.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "24388ba0a1b1b6d4af1b205927ac7f7b119ee4ea",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "554acc5a2ea9703e08023eb9a003f9e5a830a502",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "9efb6a0fa88e0910d079fdfeb4f7ce4d4ac6c990",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "72c3da7e6ceb74e74ddbb5a305a35c9fdfcac6e3",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "1f01e9f961605eb397c6ecd1d7b0233dfbf9077c",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "bc321f714de693aae06e3786f88df2975376d996",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
},
{
"lessThan": "1a6d0c00fa07972384b0c308c72db091d49988b6",
"status": "affected",
"version": "dcc68b4d8084e1ac9af0d4022d6b1aff6a139a33",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.6"
},
{
"lessThan": "5.6",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.182",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.138",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.28",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.182",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.138",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.90",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.28",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.6",
"versionStartIncluding": "5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: ets: Fix double list add in class with netem as child qdisc\n\nAs described in Gerrard\u0027s report [1], there are use cases where a netem\nchild qdisc will make the parent qdisc\u0027s enqueue callback reentrant.\nIn the case of ets, there won\u0027t be a UAF, but the code will add the same\nclassifier to the list twice, which will cause memory corruption.\n\nIn addition to checking for qlen being zero, this patch checks whether\nthe class was already added to the active_list (cl_is_active) before\ndoing the addition to cater for the reentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:17:33.128Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/24388ba0a1b1b6d4af1b205927ac7f7b119ee4ea"
},
{
"url": "https://git.kernel.org/stable/c/554acc5a2ea9703e08023eb9a003f9e5a830a502"
},
{
"url": "https://git.kernel.org/stable/c/9efb6a0fa88e0910d079fdfeb4f7ce4d4ac6c990"
},
{
"url": "https://git.kernel.org/stable/c/72c3da7e6ceb74e74ddbb5a305a35c9fdfcac6e3"
},
{
"url": "https://git.kernel.org/stable/c/1f01e9f961605eb397c6ecd1d7b0233dfbf9077c"
},
{
"url": "https://git.kernel.org/stable/c/bc321f714de693aae06e3786f88df2975376d996"
},
{
"url": "https://git.kernel.org/stable/c/1a6d0c00fa07972384b0c308c72db091d49988b6"
}
],
"title": "net_sched: ets: Fix double list add in class with netem as child qdisc",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37914",
"datePublished": "2025-05-20T15:21:45.796Z",
"dateReserved": "2025-04-16T04:51:23.967Z",
"dateUpdated": "2026-05-11T21:17:33.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39757 (GCVE-0-2025-39757)
Vulnerability from cvelistv5 – Published: 2025-09-11 16:52 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
ALSA: usb-audio: Validate UAC3 cluster segment descriptors
Summary
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Validate UAC3 cluster segment descriptors
UAC3 class segment descriptors need to be verified whether their sizes
match with the declared lengths and whether they fit with the
allocated buffer sizes, too. Otherwise malicious firmware may lead to
the unexpected OOB accesses.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
11785ef53228d23ec386f5fe4a34601536f0c891 , < 799c06ad4c9c790c265e8b6b94947213f1fb389c
(git)
Affected: 11785ef53228d23ec386f5fe4a34601536f0c891 , < 786571b10b1ae6d90e1242848ce78ee7e1d493c4 (git) Affected: 11785ef53228d23ec386f5fe4a34601536f0c891 , < 275e37532e8ebe25e8a4069b2d9f955bfd202a46 (git) Affected: 11785ef53228d23ec386f5fe4a34601536f0c891 , < 47ab3d820cb0a502bd0074f83bb3cf7ab5d79902 (git) Affected: 11785ef53228d23ec386f5fe4a34601536f0c891 , < 1034719fdefd26caeec0a44a868bb5a412c2c1a5 (git) Affected: 11785ef53228d23ec386f5fe4a34601536f0c891 , < ae17b3b5e753efc239421d186cd1ff06e5ac296e (git) Affected: 11785ef53228d23ec386f5fe4a34601536f0c891 , < dfdcbcde5c20df878178245d4449feada7d5b201 (git) Affected: 11785ef53228d23ec386f5fe4a34601536f0c891 , < 7ef3fd250f84494fb2f7871f357808edaa1fc6ce (git) Affected: 11785ef53228d23ec386f5fe4a34601536f0c891 , < ecfd41166b72b67d3bdeb88d224ff445f6163869 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:43:07.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC CN 4100",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:06:47.898Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
}
],
"x_adpType": "supplier"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-39757",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:22.652751Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:11.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"sound/usb/stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "799c06ad4c9c790c265e8b6b94947213f1fb389c",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "786571b10b1ae6d90e1242848ce78ee7e1d493c4",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "275e37532e8ebe25e8a4069b2d9f955bfd202a46",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "47ab3d820cb0a502bd0074f83bb3cf7ab5d79902",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "1034719fdefd26caeec0a44a868bb5a412c2c1a5",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "ae17b3b5e753efc239421d186cd1ff06e5ac296e",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "dfdcbcde5c20df878178245d4449feada7d5b201",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "7ef3fd250f84494fb2f7871f357808edaa1fc6ce",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
},
{
"lessThan": "ecfd41166b72b67d3bdeb88d224ff445f6163869",
"status": "affected",
"version": "11785ef53228d23ec386f5fe4a34601536f0c891",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"sound/usb/stream.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.19"
},
{
"lessThan": "4.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.149",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.103",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.43",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.149",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.103",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.43",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.11",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.2",
"versionStartIncluding": "4.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Validate UAC3 cluster segment descriptors\n\nUAC3 class segment descriptors need to be verified whether their sizes\nmatch with the declared lengths and whether they fit with the\nallocated buffer sizes, too. Otherwise malicious firmware may lead to\nthe unexpected OOB accesses."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:35:40.257Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/799c06ad4c9c790c265e8b6b94947213f1fb389c"
},
{
"url": "https://git.kernel.org/stable/c/786571b10b1ae6d90e1242848ce78ee7e1d493c4"
},
{
"url": "https://git.kernel.org/stable/c/275e37532e8ebe25e8a4069b2d9f955bfd202a46"
},
{
"url": "https://git.kernel.org/stable/c/47ab3d820cb0a502bd0074f83bb3cf7ab5d79902"
},
{
"url": "https://git.kernel.org/stable/c/1034719fdefd26caeec0a44a868bb5a412c2c1a5"
},
{
"url": "https://git.kernel.org/stable/c/ae17b3b5e753efc239421d186cd1ff06e5ac296e"
},
{
"url": "https://git.kernel.org/stable/c/dfdcbcde5c20df878178245d4449feada7d5b201"
},
{
"url": "https://git.kernel.org/stable/c/7ef3fd250f84494fb2f7871f357808edaa1fc6ce"
},
{
"url": "https://git.kernel.org/stable/c/ecfd41166b72b67d3bdeb88d224ff445f6163869"
}
],
"title": "ALSA: usb-audio: Validate UAC3 cluster segment descriptors",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39757",
"datePublished": "2025-09-11T16:52:26.900Z",
"dateReserved": "2025-04-16T07:20:57.125Z",
"dateUpdated": "2026-06-11T18:44:11.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50228 (GCVE-0-2022-50228)
Vulnerability from cvelistv5 – Published: 2025-06-18 11:04 – Updated: 2026-05-11 19:15
VLAI?
EPSS
Title
KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
Summary
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
Don't BUG/WARN on interrupt injection due to GIF being cleared,
since it's trivial for userspace to force the situation via
KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct
for KVM internally generated injections).
kernel BUG at arch/x86/kvm/svm/svm.c:3386!
invalid opcode: 0000 [#1] SMP
CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd]
Code: <0f> 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53
RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0
RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000
FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0
Call Trace:
<TASK>
inject_pending_event+0x2f7/0x4c0 [kvm]
kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm]
kvm_vcpu_ioctl+0x26d/0x650 [kvm]
__x64_sys_ioctl+0x82/0xb0
do_syscall_64+0x3b/0xc0
entry_SYSCALL_64_after_hwframe+0x44/0xae
</TASK>
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
219b65dcf6c0bad83d51bfa12e25891c02de2414 , < 2c49adeb020995236e63722ef6d0bee14372f471
(git)
Affected: 219b65dcf6c0bad83d51bfa12e25891c02de2414 , < 6fcbab82ccbcde915644085f73d3487938bda42d (git) Affected: 219b65dcf6c0bad83d51bfa12e25891c02de2414 , < c3396c1c8b87510f2ac2a674948156577559d42d (git) Affected: 219b65dcf6c0bad83d51bfa12e25891c02de2414 , < 68e1313bb8809e8addcd9431f2bfea0e8ddbca80 (git) Affected: 219b65dcf6c0bad83d51bfa12e25891c02de2414 , < 8bb683490278005b4caf61e22b0828a04d282e86 (git) Affected: 219b65dcf6c0bad83d51bfa12e25891c02de2414 , < 6afe88fbb40eac3291a8728688d61fdc745d8008 (git) Affected: 219b65dcf6c0bad83d51bfa12e25891c02de2414 , < 3d4e2d884da6312df7c9b85fbf671de49204ead6 (git) Affected: 219b65dcf6c0bad83d51bfa12e25891c02de2414 , < 2eee1dba70f57148fc7f8252613bfae6bd4b04e3 (git) Affected: 219b65dcf6c0bad83d51bfa12e25891c02de2414 , < f17c31c48e5cde9895a491d91c424eeeada3e134 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "2c49adeb020995236e63722ef6d0bee14372f471",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "6fcbab82ccbcde915644085f73d3487938bda42d",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "c3396c1c8b87510f2ac2a674948156577559d42d",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "68e1313bb8809e8addcd9431f2bfea0e8ddbca80",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "8bb683490278005b4caf61e22b0828a04d282e86",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "6afe88fbb40eac3291a8728688d61fdc745d8008",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "3d4e2d884da6312df7c9b85fbf671de49204ead6",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "2eee1dba70f57148fc7f8252613bfae6bd4b04e3",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
},
{
"lessThan": "f17c31c48e5cde9895a491d91c424eeeada3e134",
"status": "affected",
"version": "219b65dcf6c0bad83d51bfa12e25891c02de2414",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"arch/x86/kvm/svm/svm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.32"
},
{
"lessThan": "2.6.32",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.326",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.291",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.326",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.291",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "2.6.32",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "2.6.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Don\u0027t BUG if userspace injects an interrupt with GIF=0\n\nDon\u0027t BUG/WARN on interrupt injection due to GIF being cleared,\nsince it\u0027s trivial for userspace to force the situation via\nKVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct\nfor KVM internally generated injections).\n\n kernel BUG at arch/x86/kvm/svm/svm.c:3386!\n invalid opcode: 0000 [#1] SMP\n CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd]\n Code: \u003c0f\u003e 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53\n RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006\n RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0\n RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\n R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000\n FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0\n Call Trace:\n \u003cTASK\u003e\n inject_pending_event+0x2f7/0x4c0 [kvm]\n kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm]\n kvm_vcpu_ioctl+0x26d/0x650 [kvm]\n __x64_sys_ioctl+0x82/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n \u003c/TASK\u003e"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:15:17.314Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/2c49adeb020995236e63722ef6d0bee14372f471"
},
{
"url": "https://git.kernel.org/stable/c/6fcbab82ccbcde915644085f73d3487938bda42d"
},
{
"url": "https://git.kernel.org/stable/c/c3396c1c8b87510f2ac2a674948156577559d42d"
},
{
"url": "https://git.kernel.org/stable/c/68e1313bb8809e8addcd9431f2bfea0e8ddbca80"
},
{
"url": "https://git.kernel.org/stable/c/8bb683490278005b4caf61e22b0828a04d282e86"
},
{
"url": "https://git.kernel.org/stable/c/6afe88fbb40eac3291a8728688d61fdc745d8008"
},
{
"url": "https://git.kernel.org/stable/c/3d4e2d884da6312df7c9b85fbf671de49204ead6"
},
{
"url": "https://git.kernel.org/stable/c/2eee1dba70f57148fc7f8252613bfae6bd4b04e3"
},
{
"url": "https://git.kernel.org/stable/c/f17c31c48e5cde9895a491d91c424eeeada3e134"
}
],
"title": "KVM: SVM: Don\u0027t BUG if userspace injects an interrupt with GIF=0",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50228",
"datePublished": "2025-06-18T11:04:05.491Z",
"dateReserved": "2025-06-18T10:57:27.432Z",
"dateUpdated": "2026-05-11T19:15:17.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37810 (GCVE-0-2025-37810)
Vulnerability from cvelistv5 – Published: 2025-05-08 06:26 – Updated: 2026-05-11 21:15
VLAI?
EPSS
Title
usb: dwc3: gadget: check that event count does not exceed event buffer length
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: gadget: check that event count does not exceed event buffer length
The event count is read from register DWC3_GEVNTCOUNT.
There is a check for the count being zero, but not for exceeding the
event buffer length.
Check that event count does not exceed event buffer length,
avoiding an out-of-bounds access when memcpy'ing the event.
Crash log:
Unable to handle kernel paging request at virtual address ffffffc0129be000
pc : __memcpy+0x114/0x180
lr : dwc3_check_event_buf+0xec/0x348
x3 : 0000000000000030 x2 : 000000000000dfc4
x1 : ffffffc0129be000 x0 : ffffff87aad60080
Call trace:
__memcpy+0x114/0x180
dwc3_interrupt+0x24/0x34
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
72246da40f3719af3bfd104a2365b32537c27d83 , < 015c39f38e69a491d2abd5e98869a500a9459b3b
(git)
Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < b43225948b231b3f331194010f84512bee4d9f59 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < c0079630f268843a25ed75226169cba40e0d8880 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < a44547015287a19001384fe94dbff84c92ce4ee1 (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < c4d80e41cb42008dceb35e5dbf52574d93beac0d (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 52a7c9d930b95aa8b1620edaba4818040c32631f (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 99d655119b870ee60e4dbf310aa9a1ed8d9ede3d (git) Affected: 72246da40f3719af3bfd104a2365b32537c27d83 , < 63ccd26cd1f6600421795f6ca3e625076be06c9f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:55:40.941Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "015c39f38e69a491d2abd5e98869a500a9459b3b",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "b43225948b231b3f331194010f84512bee4d9f59",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "c0079630f268843a25ed75226169cba40e0d8880",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "a44547015287a19001384fe94dbff84c92ce4ee1",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "c4d80e41cb42008dceb35e5dbf52574d93beac0d",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "52a7c9d930b95aa8b1620edaba4818040c32631f",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "99d655119b870ee60e4dbf310aa9a1ed8d9ede3d",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
},
{
"lessThan": "63ccd26cd1f6600421795f6ca3e625076be06c9f",
"status": "affected",
"version": "72246da40f3719af3bfd104a2365b32537c27d83",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/dwc3/gadget.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.2"
},
{
"lessThan": "3.2",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.293",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.136",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.89",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.26",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.5",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: check that event count does not exceed event buffer length\n\nThe event count is read from register DWC3_GEVNTCOUNT.\nThere is a check for the count being zero, but not for exceeding the\nevent buffer length.\nCheck that event count does not exceed event buffer length,\navoiding an out-of-bounds access when memcpy\u0027ing the event.\nCrash log:\nUnable to handle kernel paging request at virtual address ffffffc0129be000\npc : __memcpy+0x114/0x180\nlr : dwc3_check_event_buf+0xec/0x348\nx3 : 0000000000000030 x2 : 000000000000dfc4\nx1 : ffffffc0129be000 x0 : ffffff87aad60080\nCall trace:\n__memcpy+0x114/0x180\ndwc3_interrupt+0x24/0x34"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:15:34.999Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/015c39f38e69a491d2abd5e98869a500a9459b3b"
},
{
"url": "https://git.kernel.org/stable/c/b43225948b231b3f331194010f84512bee4d9f59"
},
{
"url": "https://git.kernel.org/stable/c/c0079630f268843a25ed75226169cba40e0d8880"
},
{
"url": "https://git.kernel.org/stable/c/a44547015287a19001384fe94dbff84c92ce4ee1"
},
{
"url": "https://git.kernel.org/stable/c/c4d80e41cb42008dceb35e5dbf52574d93beac0d"
},
{
"url": "https://git.kernel.org/stable/c/52a7c9d930b95aa8b1620edaba4818040c32631f"
},
{
"url": "https://git.kernel.org/stable/c/99d655119b870ee60e4dbf310aa9a1ed8d9ede3d"
},
{
"url": "https://git.kernel.org/stable/c/63ccd26cd1f6600421795f6ca3e625076be06c9f"
}
],
"title": "usb: dwc3: gadget: check that event count does not exceed event buffer length",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37810",
"datePublished": "2025-05-08T06:26:08.144Z",
"dateReserved": "2025-04-16T04:51:23.942Z",
"dateUpdated": "2026-05-11T21:15:34.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38498 (GCVE-0-2025-38498)
Vulnerability from cvelistv5 – Published: 2025-07-30 06:03 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
do_change_type(): refuse to operate on unmounted/not ours mounts
Summary
In the Linux kernel, the following vulnerability has been resolved:
do_change_type(): refuse to operate on unmounted/not ours mounts
Ensure that propagation settings can only be changed for mounts located
in the caller's mount namespace. This change aligns permission checking
with the rest of mount(2).
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 787937c4e373f1722c4343e5a5a4eb0f8543e589
(git)
Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2 (git) Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 432a171d60056489270c462e651e6c3a13f855b1 (git) Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 064014f7812744451d5d0592f3d2bcd727f2ee93 (git) Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 4f091ad0862b02dc42a19a120b7048de848561f8 (git) Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23 (git) Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 19554c79a2095ddde850906a067915c1ef3a4114 (git) Affected: 07b20889e3052c7e77d6a6a54e7e83446eb1ba84 , < 12f147ddd6de7382dad54812e65f3f08d05809fc (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:07.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "RUGGEDCOM RST2428P",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCH328",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM324",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM328",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XCM332",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XRH334 (24 V DC, 8xFO, CC)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XRM334 (230 V AC, 12xFO)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XRM334 (230 V AC, 8xFO)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XRM334 (230V AC, 2x10G, 24xSFP, 8xSFP+)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XRM334 (24 V DC, 12xFO)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XRM334 (24 V DC, 8xFO)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XRM334 (24V DC, 2x10G, 24xSFP, 8xSFP+)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XRM334 (2x230 V AC, 12xFO)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XRM334 (2x230 V AC, 8xFO)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SCALANCE XRM334 (2x230V AC, 2x10G, 24xSFP, 8xSFP+)",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:05:10.512Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-089022.html"
}
],
"x_adpType": "supplier"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-38498",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:40:25.674803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:01.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "787937c4e373f1722c4343e5a5a4eb0f8543e589",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "432a171d60056489270c462e651e6c3a13f855b1",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "064014f7812744451d5d0592f3d2bcd727f2ee93",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "4f091ad0862b02dc42a19a120b7048de848561f8",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "19554c79a2095ddde850906a067915c1ef3a4114",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
},
{
"lessThan": "12f147ddd6de7382dad54812e65f3f08d05809fc",
"status": "affected",
"version": "07b20889e3052c7e77d6a6a54e7e83446eb1ba84",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.15"
},
{
"lessThan": "2.6.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "2.6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndo_change_type(): refuse to operate on unmounted/not ours mounts\n\nEnsure that propagation settings can only be changed for mounts located\nin the caller\u0027s mount namespace. This change aligns permission checking\nwith the rest of mount(2)."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:29:10.894Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/787937c4e373f1722c4343e5a5a4eb0f8543e589"
},
{
"url": "https://git.kernel.org/stable/c/c7d11fdf8e5db5f34a6c062c7e6ba3a0971879d2"
},
{
"url": "https://git.kernel.org/stable/c/432a171d60056489270c462e651e6c3a13f855b1"
},
{
"url": "https://git.kernel.org/stable/c/064014f7812744451d5d0592f3d2bcd727f2ee93"
},
{
"url": "https://git.kernel.org/stable/c/4f091ad0862b02dc42a19a120b7048de848561f8"
},
{
"url": "https://git.kernel.org/stable/c/9c1ddfeb662b668fff69c5f1cfdd9f5d23d55d23"
},
{
"url": "https://git.kernel.org/stable/c/19554c79a2095ddde850906a067915c1ef3a4114"
},
{
"url": "https://git.kernel.org/stable/c/12f147ddd6de7382dad54812e65f3f08d05809fc"
}
],
"title": "do_change_type(): refuse to operate on unmounted/not ours mounts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38498",
"datePublished": "2025-07-30T06:03:36.483Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2026-06-11T18:44:01.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38449 (GCVE-0-2025-38449)
Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2026-05-11 21:28
VLAI?
EPSS
Title
drm/gem: Acquire references on GEM handles for framebuffers
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/gem: Acquire references on GEM handles for framebuffers
A GEM handle can be released while the GEM buffer object is attached
to a DRM framebuffer. This leads to the release of the dma-buf backing
the buffer object, if any. [1] Trying to use the framebuffer in further
mode-setting operations leads to a segmentation fault. Most easily
happens with driver that use shadow planes for vmap-ing the dma-buf
during a page flip. An example is shown below.
[ 156.791968] ------------[ cut here ]------------
[ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430
[...]
[ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430
[ 157.043420] Call Trace:
[ 157.045898] <TASK>
[ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0
[ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0
[ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0
[ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710
[ 157.065567] ? dma_buf_vmap+0x224/0x430
[ 157.069446] ? __warn.cold+0x58/0xe4
[ 157.073061] ? dma_buf_vmap+0x224/0x430
[ 157.077111] ? report_bug+0x1dd/0x390
[ 157.080842] ? handle_bug+0x5e/0xa0
[ 157.084389] ? exc_invalid_op+0x14/0x50
[ 157.088291] ? asm_exc_invalid_op+0x16/0x20
[ 157.092548] ? dma_buf_vmap+0x224/0x430
[ 157.096663] ? dma_resv_get_singleton+0x6d/0x230
[ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10
[ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10
[ 157.110697] drm_gem_shmem_vmap+0x74/0x710
[ 157.114866] drm_gem_vmap+0xa9/0x1b0
[ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0
[ 157.123086] drm_gem_fb_vmap+0xab/0x300
[ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10
[ 157.133032] ? lockdep_init_map_type+0x19d/0x880
[ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0
[ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180
[ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40
[...]
[ 157.346424] ---[ end trace 0000000000000000 ]---
Acquiring GEM handles for the framebuffer's GEM buffer objects prevents
this from happening. The framebuffer's cleanup later puts the handle
references.
Commit 1a148af06000 ("drm/gem-shmem: Use dma_buf from GEM object
instance") triggers the segmentation fault easily by using the dma-buf
field more widely. The underlying issue with reference counting has
been present before.
v2:
- acquire the handle instead of the BO (Christian)
- fix comment style (Christian)
- drop the Fixes tag (Christian)
- rename err_ gotos
- add missing Link tag
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
319c933c71f3dbdb2b3274d1634d3494c70efa06 , < cb4c956a15f8b7f870649454771fc3761f504b5f
(git)
Affected: 319c933c71f3dbdb2b3274d1634d3494c70efa06 , < 08480e285c6a82ce689008d643e4a51db0aaef8b (git) Affected: 319c933c71f3dbdb2b3274d1634d3494c70efa06 , < 3cf520d9860d4ec9f7f32068825da31f18dd3f25 (git) Affected: 319c933c71f3dbdb2b3274d1634d3494c70efa06 , < 5307dce878d4126e1b375587318955bd019c3741 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem.c",
"drivers/gpu/drm/drm_gem_framebuffer_helper.c",
"drivers/gpu/drm/drm_internal.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "cb4c956a15f8b7f870649454771fc3761f504b5f",
"status": "affected",
"version": "319c933c71f3dbdb2b3274d1634d3494c70efa06",
"versionType": "git"
},
{
"lessThan": "08480e285c6a82ce689008d643e4a51db0aaef8b",
"status": "affected",
"version": "319c933c71f3dbdb2b3274d1634d3494c70efa06",
"versionType": "git"
},
{
"lessThan": "3cf520d9860d4ec9f7f32068825da31f18dd3f25",
"status": "affected",
"version": "319c933c71f3dbdb2b3274d1634d3494c70efa06",
"versionType": "git"
},
{
"lessThan": "5307dce878d4126e1b375587318955bd019c3741",
"status": "affected",
"version": "319c933c71f3dbdb2b3274d1634d3494c70efa06",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/drm_gem.c",
"drivers/gpu/drm/drm_gem_framebuffer_helper.c",
"drivers/gpu/drm/drm_internal.h"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gem: Acquire references on GEM handles for framebuffers\n\nA GEM handle can be released while the GEM buffer object is attached\nto a DRM framebuffer. This leads to the release of the dma-buf backing\nthe buffer object, if any. [1] Trying to use the framebuffer in further\nmode-setting operations leads to a segmentation fault. Most easily\nhappens with driver that use shadow planes for vmap-ing the dma-buf\nduring a page flip. An example is shown below.\n\n[ 156.791968] ------------[ cut here ]------------\n[ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430\n[...]\n[ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430\n[ 157.043420] Call Trace:\n[ 157.045898] \u003cTASK\u003e\n[ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0\n[ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0\n[ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0\n[ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710\n[ 157.065567] ? dma_buf_vmap+0x224/0x430\n[ 157.069446] ? __warn.cold+0x58/0xe4\n[ 157.073061] ? dma_buf_vmap+0x224/0x430\n[ 157.077111] ? report_bug+0x1dd/0x390\n[ 157.080842] ? handle_bug+0x5e/0xa0\n[ 157.084389] ? exc_invalid_op+0x14/0x50\n[ 157.088291] ? asm_exc_invalid_op+0x16/0x20\n[ 157.092548] ? dma_buf_vmap+0x224/0x430\n[ 157.096663] ? dma_resv_get_singleton+0x6d/0x230\n[ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10\n[ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10\n[ 157.110697] drm_gem_shmem_vmap+0x74/0x710\n[ 157.114866] drm_gem_vmap+0xa9/0x1b0\n[ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0\n[ 157.123086] drm_gem_fb_vmap+0xab/0x300\n[ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10\n[ 157.133032] ? lockdep_init_map_type+0x19d/0x880\n[ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0\n[ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180\n[ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40\n[...]\n[ 157.346424] ---[ end trace 0000000000000000 ]---\n\nAcquiring GEM handles for the framebuffer\u0027s GEM buffer objects prevents\nthis from happening. The framebuffer\u0027s cleanup later puts the handle\nreferences.\n\nCommit 1a148af06000 (\"drm/gem-shmem: Use dma_buf from GEM object\ninstance\") triggers the segmentation fault easily by using the dma-buf\nfield more widely. The underlying issue with reference counting has\nbeen present before.\n\nv2:\n- acquire the handle instead of the BO (Christian)\n- fix comment style (Christian)\n- drop the Fixes tag (Christian)\n- rename err_ gotos\n- add missing Link tag"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:28:13.216Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/cb4c956a15f8b7f870649454771fc3761f504b5f"
},
{
"url": "https://git.kernel.org/stable/c/08480e285c6a82ce689008d643e4a51db0aaef8b"
},
{
"url": "https://git.kernel.org/stable/c/3cf520d9860d4ec9f7f32068825da31f18dd3f25"
},
{
"url": "https://git.kernel.org/stable/c/5307dce878d4126e1b375587318955bd019c3741"
}
],
"title": "drm/gem: Acquire references on GEM handles for framebuffers",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38449",
"datePublished": "2025-07-25T15:27:30.702Z",
"dateReserved": "2025-04-16T04:51:24.018Z",
"dateUpdated": "2026-05-11T21:28:13.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-49969 (GCVE-0-2022-49969)
Vulnerability from cvelistv5 – Published: 2025-06-18 11:00 – Updated: 2026-05-11 19:10
VLAI?
EPSS
Title
drm/amd/display: clear optc underflow before turn off odm clock
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: clear optc underflow before turn off odm clock
[Why]
After ODM clock off, optc underflow bit will be kept there always and clear not work.
We need to clear that before clock off.
[How]
Clear that if have when clock off.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 443687798d6f094412b7312b64b3bb4d99aedff7
(git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 814b756d4ec3a8728debb116cf49005feada7750 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 3c1dfeaeb3b4e3ea656041da1241e6ee3c3b3202 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 5ee30bcfdb32526233d2572f3d9ec371928679f1 (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 3101839b080137c367f3f88c2a040f791de880aa (git) Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < b2a93490201300a749ad261b5c5d05cb50179c44 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "443687798d6f094412b7312b64b3bb4d99aedff7",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "814b756d4ec3a8728debb116cf49005feada7750",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "3c1dfeaeb3b4e3ea656041da1241e6ee3c3b3202",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "5ee30bcfdb32526233d2572f3d9ec371928679f1",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "3101839b080137c367f3f88c2a040f791de880aa",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
},
{
"lessThan": "b2a93490201300a749ad261b5c5d05cb50179c44",
"status": "affected",
"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/amd/display/dc/dcn10/dcn10_optc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.15"
},
{
"lessThan": "4.15",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.257",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.212",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.141",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.65",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.257",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.212",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.141",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.65",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.7",
"versionStartIncluding": "4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: clear optc underflow before turn off odm clock\n\n[Why]\nAfter ODM clock off, optc underflow bit will be kept there always and clear not work.\nWe need to clear that before clock off.\n\n[How]\nClear that if have when clock off."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:10:12.217Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/443687798d6f094412b7312b64b3bb4d99aedff7"
},
{
"url": "https://git.kernel.org/stable/c/814b756d4ec3a8728debb116cf49005feada7750"
},
{
"url": "https://git.kernel.org/stable/c/3c1dfeaeb3b4e3ea656041da1241e6ee3c3b3202"
},
{
"url": "https://git.kernel.org/stable/c/5ee30bcfdb32526233d2572f3d9ec371928679f1"
},
{
"url": "https://git.kernel.org/stable/c/3101839b080137c367f3f88c2a040f791de880aa"
},
{
"url": "https://git.kernel.org/stable/c/b2a93490201300a749ad261b5c5d05cb50179c44"
}
],
"title": "drm/amd/display: clear optc underflow before turn off odm clock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49969",
"datePublished": "2025-06-18T11:00:33.226Z",
"dateReserved": "2025-06-18T10:57:27.384Z",
"dateUpdated": "2026-05-11T19:10:12.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22097 (GCVE-0-2025-22097)
Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2026-05-11 21:12
VLAI?
EPSS
Title
drm/vkms: Fix use after free and double free on init error
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/vkms: Fix use after free and double free on init error
If the driver initialization fails, the vkms_exit() function might
access an uninitialized or freed default_config pointer and it might
double free it.
Fix both possible errors by initializing default_config only when the
driver initialization succeeded.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < 49a69f67f53518bdd9b7eeebf019a2da6cc0e954
(git)
Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < 79d138d137b80eeb0a83244d1cff29e64cf91067 (git) Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < 561fc0c5cf41f646f3e9e61784cbc0fc832fb936 (git) Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < d5eb8e347905ab17788a7903fa1d3d06747355f5 (git) Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < b8a18bb53e06d6d3c1fd03d12533d6e333ba8853 (git) Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < 1f68f1cf09d06061eb549726ff8339e064eddebd (git) Affected: 2df7af93fdadb9ba8226fe443fae15ecdefda2a6 , < ed15511a773df86205bda66c37193569575ae828 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-22097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-25T14:30:06.841533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T14:36:34.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:42:13.124Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vkms/vkms_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "49a69f67f53518bdd9b7eeebf019a2da6cc0e954",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "79d138d137b80eeb0a83244d1cff29e64cf91067",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "561fc0c5cf41f646f3e9e61784cbc0fc832fb936",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "d5eb8e347905ab17788a7903fa1d3d06747355f5",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "b8a18bb53e06d6d3c1fd03d12533d6e333ba8853",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "1f68f1cf09d06061eb549726ff8339e064eddebd",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
},
{
"lessThan": "ed15511a773df86205bda66c37193569575ae828",
"status": "affected",
"version": "2df7af93fdadb9ba8226fe443fae15ecdefda2a6",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/gpu/drm/vkms/vkms_drv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.12"
},
{
"lessThan": "5.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.180",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.87",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.23",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.13.*",
"status": "unaffected",
"version": "6.13.11",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.180",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.134",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.87",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.23",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.13.11",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.2",
"versionStartIncluding": "5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "5.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vkms: Fix use after free and double free on init error\n\nIf the driver initialization fails, the vkms_exit() function might\naccess an uninitialized or freed default_config pointer and it might\ndouble free it.\n\nFix both possible errors by initializing default_config only when the\ndriver initialization succeeded."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:12:54.498Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/49a69f67f53518bdd9b7eeebf019a2da6cc0e954"
},
{
"url": "https://git.kernel.org/stable/c/79d138d137b80eeb0a83244d1cff29e64cf91067"
},
{
"url": "https://git.kernel.org/stable/c/561fc0c5cf41f646f3e9e61784cbc0fc832fb936"
},
{
"url": "https://git.kernel.org/stable/c/d5eb8e347905ab17788a7903fa1d3d06747355f5"
},
{
"url": "https://git.kernel.org/stable/c/b8a18bb53e06d6d3c1fd03d12533d6e333ba8853"
},
{
"url": "https://git.kernel.org/stable/c/1f68f1cf09d06061eb549726ff8339e064eddebd"
},
{
"url": "https://git.kernel.org/stable/c/ed15511a773df86205bda66c37193569575ae828"
}
],
"title": "drm/vkms: Fix use after free and double free on init error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-22097",
"datePublished": "2025-04-16T14:12:47.649Z",
"dateReserved": "2024-12-29T08:45:45.818Z",
"dateUpdated": "2026-05-11T21:12:54.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-22555 (GCVE-0-2021-22555)
Vulnerability from cvelistv5 – Published: 2021-07-07 11:20 – Updated: 2025-12-30 20:32
VLAI?
EPSS
Title
Heap Out-Of-Bounds Write in Netfilter IP6T_SO_SET_REPLACE
Summary
A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space
Severity ?
8.3 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Linux Kernel |
Affected:
2.6.19-rc1 , < unspecified
(custom)
|
Credits
Andy Nguyen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:44:14.199Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=b29c457a6511435960115c0f548c4360d5f4801d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/163528/Linux-Kernel-Netfilter-Heap-Out-Of-Bounds-Write.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210805-0010/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/163878/Kernel-Live-Patch-Security-Notice-LSN-0080-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/164155/Kernel-Live-Patch-Security-Notice-LSN-0081-1.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/164437/Netfilter-x_tables-Heap-Out-Of-Bounds-Write-Privilege-Escalation.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/165477/Kernel-Live-Patch-Security-Notice-LSN-0083-1.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-22555",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-04T03:55:24.534831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-10-06",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22555"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T20:32:33.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22555"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Linux Kernel",
"vendor": "n/a",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "2.6.19-rc1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andy Nguyen"
}
],
"datePublic": "2021-07-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-06T19:06:15.000Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=b29c457a6511435960115c0f548c4360d5f4801d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/163528/Linux-Kernel-Netfilter-Heap-Out-Of-Bounds-Write.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210805-0010/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/163878/Kernel-Live-Patch-Security-Notice-LSN-0080-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/164155/Kernel-Live-Patch-Security-Notice-LSN-0081-1.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/164437/Netfilter-x_tables-Heap-Out-Of-Bounds-Write-Privilege-Escalation.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/165477/Kernel-Live-Patch-Security-Notice-LSN-0083-1.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Heap Out-Of-Bounds Write in Netfilter IP6T_SO_SET_REPLACE",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@google.com",
"DATE_PUBLIC": "2021-07-04T10:00:00.000Z",
"ID": "CVE-2021-22555",
"STATE": "PUBLIC",
"TITLE": "Heap Out-Of-Bounds Write in Netfilter IP6T_SO_SET_REPLACE"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Linux Kernel",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "2.6.19-rc1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Andy Nguyen"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-787 Out-of-bounds Write"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528",
"refsource": "MISC",
"url": "https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528"
},
{
"name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21",
"refsource": "MISC",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=9fa492cdc160cd27ce1046cb36f47d3b2b1efa21"
},
{
"name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=b29c457a6511435960115c0f548c4360d5f4801d",
"refsource": "MISC",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/x_tables.c?id=b29c457a6511435960115c0f548c4360d5f4801d"
},
{
"name": "http://packetstormsecurity.com/files/163528/Linux-Kernel-Netfilter-Heap-Out-Of-Bounds-Write.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/163528/Linux-Kernel-Netfilter-Heap-Out-Of-Bounds-Write.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210805-0010/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210805-0010/"
},
{
"name": "http://packetstormsecurity.com/files/163878/Kernel-Live-Patch-Security-Notice-LSN-0080-1.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/163878/Kernel-Live-Patch-Security-Notice-LSN-0080-1.html"
},
{
"name": "http://packetstormsecurity.com/files/164155/Kernel-Live-Patch-Security-Notice-LSN-0081-1.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/164155/Kernel-Live-Patch-Security-Notice-LSN-0081-1.html"
},
{
"name": "http://packetstormsecurity.com/files/164437/Netfilter-x_tables-Heap-Out-Of-Bounds-Write-Privilege-Escalation.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/164437/Netfilter-x_tables-Heap-Out-Of-Bounds-Write-Privilege-Escalation.html"
},
{
"name": "http://packetstormsecurity.com/files/165477/Kernel-Live-Patch-Security-Notice-LSN-0083-1.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/165477/Kernel-Live-Patch-Security-Notice-LSN-0083-1.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2021-22555",
"datePublished": "2021-07-07T11:20:10.668Z",
"dateReserved": "2021-01-05T00:00:00.000Z",
"dateUpdated": "2025-12-30T20:32:33.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-50087 (GCVE-0-2022-50087)
Vulnerability from cvelistv5 – Published: 2025-06-18 11:02 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails
Summary
In the Linux kernel, the following vulnerability has been resolved:
firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails
When scpi probe fails, at any point, we need to ensure that the scpi_info
is not set and will remain NULL until the probe succeeds. If it is not
taken care, then it could result use-after-free as the value is exported
via get_scpi_ops() and could refer to a memory allocated via devm_kzalloc()
but freed when the probe fails.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
8cb7cf56c9fe5412de238465b27ef35b4d2801aa , < 5aa558232edc30468d1f35108826dd5b3ffe978f
(git)
Affected: 8cb7cf56c9fe5412de238465b27ef35b4d2801aa , < 18048cba444a7c41dbf42c180d6b46606fc24c51 (git) Affected: 8cb7cf56c9fe5412de238465b27ef35b4d2801aa , < 08272646cd7c310642c39b7f54348fddd7987643 (git) Affected: 8cb7cf56c9fe5412de238465b27ef35b4d2801aa , < 0c29e149b6bb498778ed8a1c9597b51acfba7856 (git) Affected: 8cb7cf56c9fe5412de238465b27ef35b4d2801aa , < 87c4896d5dd7fd9927c814cf3c6289f41de3b562 (git) Affected: 8cb7cf56c9fe5412de238465b27ef35b4d2801aa , < 4f2d7b46d6b53c07f44a4f8f8f4438888f0e9e87 (git) Affected: 8cb7cf56c9fe5412de238465b27ef35b4d2801aa , < 689640efc0a2c4e07e6f88affe6d42cd40cc3f85 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-50087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:34.847637Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:13.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/firmware/arm_scpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5aa558232edc30468d1f35108826dd5b3ffe978f",
"status": "affected",
"version": "8cb7cf56c9fe5412de238465b27ef35b4d2801aa",
"versionType": "git"
},
{
"lessThan": "18048cba444a7c41dbf42c180d6b46606fc24c51",
"status": "affected",
"version": "8cb7cf56c9fe5412de238465b27ef35b4d2801aa",
"versionType": "git"
},
{
"lessThan": "08272646cd7c310642c39b7f54348fddd7987643",
"status": "affected",
"version": "8cb7cf56c9fe5412de238465b27ef35b4d2801aa",
"versionType": "git"
},
{
"lessThan": "0c29e149b6bb498778ed8a1c9597b51acfba7856",
"status": "affected",
"version": "8cb7cf56c9fe5412de238465b27ef35b4d2801aa",
"versionType": "git"
},
{
"lessThan": "87c4896d5dd7fd9927c814cf3c6289f41de3b562",
"status": "affected",
"version": "8cb7cf56c9fe5412de238465b27ef35b4d2801aa",
"versionType": "git"
},
{
"lessThan": "4f2d7b46d6b53c07f44a4f8f8f4438888f0e9e87",
"status": "affected",
"version": "8cb7cf56c9fe5412de238465b27ef35b4d2801aa",
"versionType": "git"
},
{
"lessThan": "689640efc0a2c4e07e6f88affe6d42cd40cc3f85",
"status": "affected",
"version": "8cb7cf56c9fe5412de238465b27ef35b4d2801aa",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/firmware/arm_scpi.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.4"
},
{
"lessThan": "4.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.256",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.211",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.137",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.61",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"version": "5.18.18",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.19.*",
"status": "unaffected",
"version": "5.19.2",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.256",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.211",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.137",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.61",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.18.18",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.19.2",
"versionStartIncluding": "4.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0",
"versionStartIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails\n\nWhen scpi probe fails, at any point, we need to ensure that the scpi_info\nis not set and will remain NULL until the probe succeeds. If it is not\ntaken care, then it could result use-after-free as the value is exported\nvia get_scpi_ops() and could refer to a memory allocated via devm_kzalloc()\nbut freed when the probe fails."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:12:34.700Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5aa558232edc30468d1f35108826dd5b3ffe978f"
},
{
"url": "https://git.kernel.org/stable/c/18048cba444a7c41dbf42c180d6b46606fc24c51"
},
{
"url": "https://git.kernel.org/stable/c/08272646cd7c310642c39b7f54348fddd7987643"
},
{
"url": "https://git.kernel.org/stable/c/0c29e149b6bb498778ed8a1c9597b51acfba7856"
},
{
"url": "https://git.kernel.org/stable/c/87c4896d5dd7fd9927c814cf3c6289f41de3b562"
},
{
"url": "https://git.kernel.org/stable/c/4f2d7b46d6b53c07f44a4f8f8f4438888f0e9e87"
},
{
"url": "https://git.kernel.org/stable/c/689640efc0a2c4e07e6f88affe6d42cd40cc3f85"
}
],
"title": "firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50087",
"datePublished": "2025-06-18T11:02:28.079Z",
"dateReserved": "2025-06-18T10:57:27.410Z",
"dateUpdated": "2026-06-11T18:44:13.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38200 (GCVE-0-2025-38200)
Vulnerability from cvelistv5 – Published: 2025-07-04 13:37 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
i40e: fix MMIO write access to an invalid page in i40e_clear_hw
Summary
In the Linux kernel, the following vulnerability has been resolved:
i40e: fix MMIO write access to an invalid page in i40e_clear_hw
When the device sends a specific input, an integer underflow can occur, leading
to MMIO write access to an invalid page.
Prevent the integer underflow by changing the type of related variables.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1bff652941c4d94f97610c9a30473aad6f5b2fff , < 872607632c658d3739e4e7889e4f3c419ae2c193
(git)
Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < 5e75c9082987479e647c75ec8fdf18fa68263c42 (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < fecb2fc3fc10c95724407cc45ea35af4a65cdde2 (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < d88a1e8f024ba26e19350958fecbf771a9960352 (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < 8cde755f56163281ec2c46b4ae8b61f532758a6f (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < 3502dd42f178dae9d54696013386bb52b4f2e655 (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < 2a1f4f2e36442a9bdf771acf6ee86f3cf876e5ca (git) Affected: 1bff652941c4d94f97610c9a30473aad6f5b2fff , < 015bac5daca978448f2671478c553ce1f300c21e (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:35:23.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-38200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:27.933422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:12.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "872607632c658d3739e4e7889e4f3c419ae2c193",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "5e75c9082987479e647c75ec8fdf18fa68263c42",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "fecb2fc3fc10c95724407cc45ea35af4a65cdde2",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "d88a1e8f024ba26e19350958fecbf771a9960352",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "8cde755f56163281ec2c46b4ae8b61f532758a6f",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "3502dd42f178dae9d54696013386bb52b4f2e655",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "2a1f4f2e36442a9bdf771acf6ee86f3cf876e5ca",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
},
{
"lessThan": "015bac5daca978448f2671478c553ce1f300c21e",
"status": "affected",
"version": "1bff652941c4d94f97610c9a30473aad6f5b2fff",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/i40e/i40e_common.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.12"
},
{
"lessThan": "3.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.295",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.95",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.35",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.4",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.295",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.95",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.35",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.4",
"versionStartIncluding": "3.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix MMIO write access to an invalid page in i40e_clear_hw\n\nWhen the device sends a specific input, an integer underflow can occur, leading\nto MMIO write access to an invalid page.\n\nPrevent the integer underflow by changing the type of related variables."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:23:11.414Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/872607632c658d3739e4e7889e4f3c419ae2c193"
},
{
"url": "https://git.kernel.org/stable/c/5e75c9082987479e647c75ec8fdf18fa68263c42"
},
{
"url": "https://git.kernel.org/stable/c/fecb2fc3fc10c95724407cc45ea35af4a65cdde2"
},
{
"url": "https://git.kernel.org/stable/c/d88a1e8f024ba26e19350958fecbf771a9960352"
},
{
"url": "https://git.kernel.org/stable/c/8cde755f56163281ec2c46b4ae8b61f532758a6f"
},
{
"url": "https://git.kernel.org/stable/c/3502dd42f178dae9d54696013386bb52b4f2e655"
},
{
"url": "https://git.kernel.org/stable/c/2a1f4f2e36442a9bdf771acf6ee86f3cf876e5ca"
},
{
"url": "https://git.kernel.org/stable/c/015bac5daca978448f2671478c553ce1f300c21e"
}
],
"title": "i40e: fix MMIO write access to an invalid page in i40e_clear_hw",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38200",
"datePublished": "2025-07-04T13:37:22.076Z",
"dateReserved": "2025-04-16T04:51:23.993Z",
"dateUpdated": "2026-06-11T18:44:12.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38550 (GCVE-0-2025-38550)
Vulnerability from cvelistv5 – Published: 2025-08-16 11:34 – Updated: 2026-05-11 21:30
VLAI?
EPSS
Title
ipv6: mcast: Delay put pmc->idev in mld_del_delrec()
Summary
In the Linux kernel, the following vulnerability has been resolved:
ipv6: mcast: Delay put pmc->idev in mld_del_delrec()
pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec()
does, the reference should be put after ip6_mc_clear_src() return.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
63ed8de4be81b699ca727e9f8e3344bd487806d7 , < 6e4eec86fe5f6b3fdbc702d1d36ac2a6e7ec0806
(git)
Affected: 63ed8de4be81b699ca727e9f8e3344bd487806d7 , < 728db00a14cacb37f36e9382ab5fad55caf890cc (git) Affected: 63ed8de4be81b699ca727e9f8e3344bd487806d7 , < dcbc346f50a009d8b7f4e330f9f2e22d6442fa26 (git) Affected: 63ed8de4be81b699ca727e9f8e3344bd487806d7 , < 7929d27c747eafe8fca3eecd74a334503ee4c839 (git) Affected: 63ed8de4be81b699ca727e9f8e3344bd487806d7 , < 5f18e0130194550dff734e155029ae734378b5ea (git) Affected: 63ed8de4be81b699ca727e9f8e3344bd487806d7 , < ae3264a25a4635531264728859dbe9c659fad554 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:43.796Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/ipv6/mcast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "6e4eec86fe5f6b3fdbc702d1d36ac2a6e7ec0806",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
},
{
"lessThan": "728db00a14cacb37f36e9382ab5fad55caf890cc",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
},
{
"lessThan": "dcbc346f50a009d8b7f4e330f9f2e22d6442fa26",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
},
{
"lessThan": "7929d27c747eafe8fca3eecd74a334503ee4c839",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
},
{
"lessThan": "5f18e0130194550dff734e155029ae734378b5ea",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
},
{
"lessThan": "ae3264a25a4635531264728859dbe9c659fad554",
"status": "affected",
"version": "63ed8de4be81b699ca727e9f8e3344bd487806d7",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/ipv6/mcast.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.13"
},
{
"lessThan": "5.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: Delay put pmc-\u003eidev in mld_del_delrec()\n\npmc-\u003eidev is still used in ip6_mc_clear_src(), so as mld_clear_delrec()\ndoes, the reference should be put after ip6_mc_clear_src() return."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:30:15.543Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/6e4eec86fe5f6b3fdbc702d1d36ac2a6e7ec0806"
},
{
"url": "https://git.kernel.org/stable/c/728db00a14cacb37f36e9382ab5fad55caf890cc"
},
{
"url": "https://git.kernel.org/stable/c/dcbc346f50a009d8b7f4e330f9f2e22d6442fa26"
},
{
"url": "https://git.kernel.org/stable/c/7929d27c747eafe8fca3eecd74a334503ee4c839"
},
{
"url": "https://git.kernel.org/stable/c/5f18e0130194550dff734e155029ae734378b5ea"
},
{
"url": "https://git.kernel.org/stable/c/ae3264a25a4635531264728859dbe9c659fad554"
}
],
"title": "ipv6: mcast: Delay put pmc-\u003eidev in mld_del_delrec()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38550",
"datePublished": "2025-08-16T11:34:18.619Z",
"dateReserved": "2025-04-16T04:51:24.024Z",
"dateUpdated": "2026-05-11T21:30:15.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53125 (GCVE-0-2023-53125)
Vulnerability from cvelistv5 – Published: 2025-05-02 15:56 – Updated: 2026-05-11 19:38
VLAI?
EPSS
Title
net: usb: smsc75xx: Limit packet length to skb->len
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: usb: smsc75xx: Limit packet length to skb->len
Packet length retrieved from skb data may be larger than
the actual socket buffer length (up to 9026 bytes). In such
case the cloned skb passed up the network stack will leak
kernel memory contents.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
d0cad871703b898a442e4049c532ec39168e5b57 , < 4a4de0a68b18485c68ab4f0cfa665b1633c6d277
(git)
Affected: d0cad871703b898a442e4049c532ec39168e5b57 , < 53966d572d056d6b234cfe76a5f9d60049d3c178 (git) Affected: d0cad871703b898a442e4049c532ec39168e5b57 , < 9fabdd79051a9fe51388df099aff6e4b660fedd2 (git) Affected: d0cad871703b898a442e4049c532ec39168e5b57 , < e294f0aa47e4844f3d3c8766c02accd5a76a7d4e (git) Affected: d0cad871703b898a442e4049c532ec39168e5b57 , < 105db6574281e1e03fcbf87983f4fee111682306 (git) Affected: d0cad871703b898a442e4049c532ec39168e5b57 , < c7bdc137ca163b90917c1eeba4f1937684bd4f8b (git) Affected: d0cad871703b898a442e4049c532ec39168e5b57 , < 8ee5df9c039e37b9d8eb5e3de08bfb7f53d31cb6 (git) Affected: d0cad871703b898a442e4049c532ec39168e5b57 , < d8b228318935044dafe3a5bc07ee71a1f1424b8d (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/smsc75xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "4a4de0a68b18485c68ab4f0cfa665b1633c6d277",
"status": "affected",
"version": "d0cad871703b898a442e4049c532ec39168e5b57",
"versionType": "git"
},
{
"lessThan": "53966d572d056d6b234cfe76a5f9d60049d3c178",
"status": "affected",
"version": "d0cad871703b898a442e4049c532ec39168e5b57",
"versionType": "git"
},
{
"lessThan": "9fabdd79051a9fe51388df099aff6e4b660fedd2",
"status": "affected",
"version": "d0cad871703b898a442e4049c532ec39168e5b57",
"versionType": "git"
},
{
"lessThan": "e294f0aa47e4844f3d3c8766c02accd5a76a7d4e",
"status": "affected",
"version": "d0cad871703b898a442e4049c532ec39168e5b57",
"versionType": "git"
},
{
"lessThan": "105db6574281e1e03fcbf87983f4fee111682306",
"status": "affected",
"version": "d0cad871703b898a442e4049c532ec39168e5b57",
"versionType": "git"
},
{
"lessThan": "c7bdc137ca163b90917c1eeba4f1937684bd4f8b",
"status": "affected",
"version": "d0cad871703b898a442e4049c532ec39168e5b57",
"versionType": "git"
},
{
"lessThan": "8ee5df9c039e37b9d8eb5e3de08bfb7f53d31cb6",
"status": "affected",
"version": "d0cad871703b898a442e4049c532ec39168e5b57",
"versionType": "git"
},
{
"lessThan": "d8b228318935044dafe3a5bc07ee71a1f1424b8d",
"status": "affected",
"version": "d0cad871703b898a442e4049c532ec39168e5b57",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/usb/smsc75xx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.34"
},
{
"lessThan": "2.6.34",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.311",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.279",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.238",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.176",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.104",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.21",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.2.*",
"status": "unaffected",
"version": "6.2.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.3",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.311",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.279",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.238",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.176",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.104",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.21",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.2.8",
"versionStartIncluding": "2.6.34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.3",
"versionStartIncluding": "2.6.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: smsc75xx: Limit packet length to skb-\u003elen\n\nPacket length retrieved from skb data may be larger than\nthe actual socket buffer length (up to 9026 bytes). In such\ncase the cloned skb passed up the network stack will leak\nkernel memory contents."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:38:58.738Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/4a4de0a68b18485c68ab4f0cfa665b1633c6d277"
},
{
"url": "https://git.kernel.org/stable/c/53966d572d056d6b234cfe76a5f9d60049d3c178"
},
{
"url": "https://git.kernel.org/stable/c/9fabdd79051a9fe51388df099aff6e4b660fedd2"
},
{
"url": "https://git.kernel.org/stable/c/e294f0aa47e4844f3d3c8766c02accd5a76a7d4e"
},
{
"url": "https://git.kernel.org/stable/c/105db6574281e1e03fcbf87983f4fee111682306"
},
{
"url": "https://git.kernel.org/stable/c/c7bdc137ca163b90917c1eeba4f1937684bd4f8b"
},
{
"url": "https://git.kernel.org/stable/c/8ee5df9c039e37b9d8eb5e3de08bfb7f53d31cb6"
},
{
"url": "https://git.kernel.org/stable/c/d8b228318935044dafe3a5bc07ee71a1f1424b8d"
}
],
"title": "net: usb: smsc75xx: Limit packet length to skb-\u003elen",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53125",
"datePublished": "2025-05-02T15:56:01.140Z",
"dateReserved": "2025-05-02T15:51:43.555Z",
"dateUpdated": "2026-05-11T19:38:58.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38461 (GCVE-0-2025-38461)
Vulnerability from cvelistv5 – Published: 2025-07-25 15:27 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
vsock: Fix transport_* TOCTOU
Summary
In the Linux kernel, the following vulnerability has been resolved:
vsock: Fix transport_* TOCTOU
Transport assignment may race with module unload. Protect new_transport
from becoming a stale pointer.
This also takes care of an insecure call in vsock_use_local_transport();
add a lockdep assert.
BUG: unable to handle page fault for address: fffffbfff8056000
Oops: Oops: 0000 [#1] SMP KASAN
RIP: 0010:vsock_assign_transport+0x366/0x600
Call Trace:
vsock_connect+0x59c/0xc40
__sys_connect+0xe8/0x100
__x64_sys_connect+0x6e/0xc0
do_syscall_64+0x92/0x1c0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 8667e8d0eb46bc54fdae30ba2f4786407d3d88eb
(git)
Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 36a439049b34cca0b3661276049b84a1f76cc21a (git) Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 9ce53e744f18e73059d3124070e960f3aa9902bf (git) Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 9d24bb6780282b0255b9929abe5e8f98007e2c6e (git) Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < ae2c712ba39c7007de63cb0c75b51ce1caaf1da5 (git) Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 7b73bddf54777fb62d4d8c7729d0affe6df04477 (git) Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 687aa0c5581b8d4aa87fd92973e4ee576b550cdf (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:38:21.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-38461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:43.452088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:15.500Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8667e8d0eb46bc54fdae30ba2f4786407d3d88eb",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "36a439049b34cca0b3661276049b84a1f76cc21a",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "9ce53e744f18e73059d3124070e960f3aa9902bf",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "9d24bb6780282b0255b9929abe5e8f98007e2c6e",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "ae2c712ba39c7007de63cb0c75b51ce1caaf1da5",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "7b73bddf54777fb62d4d8c7729d0affe6df04477",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
},
{
"lessThan": "687aa0c5581b8d4aa87fd92973e4ee576b550cdf",
"status": "affected",
"version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/vmw_vsock/af_vsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.5"
},
{
"lessThan": "5.5",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.240",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.189",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.146",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.99",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.39",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.240",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.189",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.146",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.99",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.39",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.7",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: Fix transport_* TOCTOU\n\nTransport assignment may race with module unload. Protect new_transport\nfrom becoming a stale pointer.\n\nThis also takes care of an insecure call in vsock_use_local_transport();\nadd a lockdep assert.\n\nBUG: unable to handle page fault for address: fffffbfff8056000\nOops: Oops: 0000 [#1] SMP KASAN\nRIP: 0010:vsock_assign_transport+0x366/0x600\nCall Trace:\n vsock_connect+0x59c/0xc40\n __sys_connect+0xe8/0x100\n __x64_sys_connect+0x6e/0xc0\n do_syscall_64+0x92/0x1c0\n entry_SYSCALL_64_after_hwframe+0x4b/0x53"
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:28:27.552Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8667e8d0eb46bc54fdae30ba2f4786407d3d88eb"
},
{
"url": "https://git.kernel.org/stable/c/36a439049b34cca0b3661276049b84a1f76cc21a"
},
{
"url": "https://git.kernel.org/stable/c/9ce53e744f18e73059d3124070e960f3aa9902bf"
},
{
"url": "https://git.kernel.org/stable/c/9d24bb6780282b0255b9929abe5e8f98007e2c6e"
},
{
"url": "https://git.kernel.org/stable/c/ae2c712ba39c7007de63cb0c75b51ce1caaf1da5"
},
{
"url": "https://git.kernel.org/stable/c/7b73bddf54777fb62d4d8c7729d0affe6df04477"
},
{
"url": "https://git.kernel.org/stable/c/687aa0c5581b8d4aa87fd92973e4ee576b550cdf"
}
],
"title": "vsock: Fix transport_* TOCTOU",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38461",
"datePublished": "2025-07-25T15:27:39.322Z",
"dateReserved": "2025-04-16T04:51:24.020Z",
"dateUpdated": "2026-06-11T18:44:15.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-39730 (GCVE-0-2025-39730)
Vulnerability from cvelistv5 – Published: 2025-09-07 15:16 – Updated: 2026-06-11 18:44
VLAI?
EPSS
Title
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
The function needs to check the minimal filehandle length before it can
access the embedded filehandle.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
20fa19027286983ab2734b5910c4a687436e0c31 , < 7f8eca87fef7519e9c41f3258f25ebc2752247ee
(git)
Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < cb09afa0948d96b1e385d609ed044bb1aa043536 (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < 3570ef5c31314c13274c935a20b91768ab5bf412 (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < 763810bb883cb4de412a72f338d80947d97df67b (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < 12ad3def2e5e0b120e3d0cb6ce8b7b796819ad40 (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < 2ad40b7992aa26bc631afc1a995b0e3ddc30de3f (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < b7f7866932466332a2528fda099000b035303485 (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < 7dd36f7477d1e03a1fcf8d13531ca326c4fb599f (git) Affected: 20fa19027286983ab2734b5910c4a687436e0c31 , < ef93a685e01a281b5e2a25ce4e3428cf9371a205 (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:42:48.789Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-39730",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T20:41:59.038817Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T18:44:18.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "7f8eca87fef7519e9c41f3258f25ebc2752247ee",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "cb09afa0948d96b1e385d609ed044bb1aa043536",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "3570ef5c31314c13274c935a20b91768ab5bf412",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "763810bb883cb4de412a72f338d80947d97df67b",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "12ad3def2e5e0b120e3d0cb6ce8b7b796819ad40",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "2ad40b7992aa26bc631afc1a995b0e3ddc30de3f",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "b7f7866932466332a2528fda099000b035303485",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "7dd36f7477d1e03a1fcf8d13531ca326c4fb599f",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
},
{
"lessThan": "ef93a685e01a281b5e2a25ce4e3428cf9371a205",
"status": "affected",
"version": "20fa19027286983ab2734b5910c4a687436e0c31",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nfs/export.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.13"
},
{
"lessThan": "4.13",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.297",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.241",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.297",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.241",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "4.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "4.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFS: Fix filehandle bounds checking in nfs_fh_to_dentry()\n\nThe function needs to check the minimal filehandle length before it can\naccess the embedded filehandle."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:35:09.757Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/7f8eca87fef7519e9c41f3258f25ebc2752247ee"
},
{
"url": "https://git.kernel.org/stable/c/cb09afa0948d96b1e385d609ed044bb1aa043536"
},
{
"url": "https://git.kernel.org/stable/c/3570ef5c31314c13274c935a20b91768ab5bf412"
},
{
"url": "https://git.kernel.org/stable/c/763810bb883cb4de412a72f338d80947d97df67b"
},
{
"url": "https://git.kernel.org/stable/c/12ad3def2e5e0b120e3d0cb6ce8b7b796819ad40"
},
{
"url": "https://git.kernel.org/stable/c/2ad40b7992aa26bc631afc1a995b0e3ddc30de3f"
},
{
"url": "https://git.kernel.org/stable/c/b7f7866932466332a2528fda099000b035303485"
},
{
"url": "https://git.kernel.org/stable/c/7dd36f7477d1e03a1fcf8d13531ca326c4fb599f"
},
{
"url": "https://git.kernel.org/stable/c/ef93a685e01a281b5e2a25ce4e3428cf9371a205"
}
],
"title": "NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-39730",
"datePublished": "2025-09-07T15:16:19.377Z",
"dateReserved": "2025-04-16T07:20:57.118Z",
"dateUpdated": "2026-06-11T18:44:18.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38392 (GCVE-0-2025-38392)
Vulnerability from cvelistv5 – Published: 2025-07-25 12:53 – Updated: 2026-05-11 21:27
VLAI?
EPSS
Title
idpf: convert control queue mutex to a spinlock
Summary
In the Linux kernel, the following vulnerability has been resolved:
idpf: convert control queue mutex to a spinlock
With VIRTCHNL2_CAP_MACFILTER enabled, the following warning is generated
on module load:
[ 324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578
[ 324.701684] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1582, name: NetworkManager
[ 324.701689] preempt_count: 201, expected: 0
[ 324.701693] RCU nest depth: 0, expected: 0
[ 324.701697] 2 locks held by NetworkManager/1582:
[ 324.701702] #0: ffffffff9f7be770 (rtnl_mutex){....}-{3:3}, at: rtnl_newlink+0x791/0x21e0
[ 324.701730] #1: ff1100216c380368 (_xmit_ETHER){....}-{2:2}, at: __dev_open+0x3f0/0x870
[ 324.701749] Preemption disabled at:
[ 324.701752] [<ffffffff9cd23b9d>] __dev_open+0x3dd/0x870
[ 324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary)
[ 324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022
[ 324.701774] Call Trace:
[ 324.701777] <TASK>
[ 324.701779] dump_stack_lvl+0x5d/0x80
[ 324.701788] ? __dev_open+0x3dd/0x870
[ 324.701793] __might_resched.cold+0x1ef/0x23d
<..>
[ 324.701818] __mutex_lock+0x113/0x1b80
<..>
[ 324.701917] idpf_ctlq_clean_sq+0xad/0x4b0 [idpf]
[ 324.701935] ? kasan_save_track+0x14/0x30
[ 324.701941] idpf_mb_clean+0x143/0x380 [idpf]
<..>
[ 324.701991] idpf_send_mb_msg+0x111/0x720 [idpf]
[ 324.702009] idpf_vc_xn_exec+0x4cc/0x990 [idpf]
[ 324.702021] ? rcu_is_watching+0x12/0xc0
[ 324.702035] idpf_add_del_mac_filters+0x3ed/0xb50 [idpf]
<..>
[ 324.702122] __hw_addr_sync_dev+0x1cf/0x300
[ 324.702126] ? find_held_lock+0x32/0x90
[ 324.702134] idpf_set_rx_mode+0x317/0x390 [idpf]
[ 324.702152] __dev_open+0x3f8/0x870
[ 324.702159] ? __pfx___dev_open+0x10/0x10
[ 324.702174] __dev_change_flags+0x443/0x650
<..>
[ 324.702208] netif_change_flags+0x80/0x160
[ 324.702218] do_setlink.isra.0+0x16a0/0x3960
<..>
[ 324.702349] rtnl_newlink+0x12fd/0x21e0
The sequence is as follows:
rtnl_newlink()->
__dev_change_flags()->
__dev_open()->
dev_set_rx_mode() - > # disables BH and grabs "dev->addr_list_lock"
idpf_set_rx_mode() -> # proceed only if VIRTCHNL2_CAP_MACFILTER is ON
__dev_uc_sync() ->
idpf_add_mac_filter ->
idpf_add_del_mac_filters ->
idpf_send_mb_msg() ->
idpf_mb_clean() ->
idpf_ctlq_clean_sq() # mutex_lock(cq_lock)
Fix by converting cq_lock to a spinlock. All operations under the new
lock are safe except freeing the DMA memory, which may use vunmap(). Fix
by requesting a contiguous physical memory for the DMA mapping.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
a251eee62133774cf35ff829041377e721ef9c8c , < 9a36715cd6bc6a6f16230e19a7f947bab34b3fe5
(git)
Affected: a251eee62133774cf35ff829041377e721ef9c8c , < dc6c3c2c9dfdaa3a3357f59a80a2904677a71a9a (git) Affected: a251eee62133774cf35ff829041377e721ef9c8c , < b2beb5bb2cd90d7939e470ed4da468683f41baa3 (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_controlq.c",
"drivers/net/ethernet/intel/idpf/idpf_controlq_api.h",
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "9a36715cd6bc6a6f16230e19a7f947bab34b3fe5",
"status": "affected",
"version": "a251eee62133774cf35ff829041377e721ef9c8c",
"versionType": "git"
},
{
"lessThan": "dc6c3c2c9dfdaa3a3357f59a80a2904677a71a9a",
"status": "affected",
"version": "a251eee62133774cf35ff829041377e721ef9c8c",
"versionType": "git"
},
{
"lessThan": "b2beb5bb2cd90d7939e470ed4da468683f41baa3",
"status": "affected",
"version": "a251eee62133774cf35ff829041377e721ef9c8c",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/net/ethernet/intel/idpf/idpf_controlq.c",
"drivers/net/ethernet/intel/idpf/idpf_controlq_api.h",
"drivers/net/ethernet/intel/idpf/idpf_lib.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.7"
},
{
"lessThan": "6.7",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.37",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.37",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.6",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: convert control queue mutex to a spinlock\n\nWith VIRTCHNL2_CAP_MACFILTER enabled, the following warning is generated\non module load:\n\n[ 324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578\n[ 324.701684] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1582, name: NetworkManager\n[ 324.701689] preempt_count: 201, expected: 0\n[ 324.701693] RCU nest depth: 0, expected: 0\n[ 324.701697] 2 locks held by NetworkManager/1582:\n[ 324.701702] #0: ffffffff9f7be770 (rtnl_mutex){....}-{3:3}, at: rtnl_newlink+0x791/0x21e0\n[ 324.701730] #1: ff1100216c380368 (_xmit_ETHER){....}-{2:2}, at: __dev_open+0x3f0/0x870\n[ 324.701749] Preemption disabled at:\n[ 324.701752] [\u003cffffffff9cd23b9d\u003e] __dev_open+0x3dd/0x870\n[ 324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary)\n[ 324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022\n[ 324.701774] Call Trace:\n[ 324.701777] \u003cTASK\u003e\n[ 324.701779] dump_stack_lvl+0x5d/0x80\n[ 324.701788] ? __dev_open+0x3dd/0x870\n[ 324.701793] __might_resched.cold+0x1ef/0x23d\n\u003c..\u003e\n[ 324.701818] __mutex_lock+0x113/0x1b80\n\u003c..\u003e\n[ 324.701917] idpf_ctlq_clean_sq+0xad/0x4b0 [idpf]\n[ 324.701935] ? kasan_save_track+0x14/0x30\n[ 324.701941] idpf_mb_clean+0x143/0x380 [idpf]\n\u003c..\u003e\n[ 324.701991] idpf_send_mb_msg+0x111/0x720 [idpf]\n[ 324.702009] idpf_vc_xn_exec+0x4cc/0x990 [idpf]\n[ 324.702021] ? rcu_is_watching+0x12/0xc0\n[ 324.702035] idpf_add_del_mac_filters+0x3ed/0xb50 [idpf]\n\u003c..\u003e\n[ 324.702122] __hw_addr_sync_dev+0x1cf/0x300\n[ 324.702126] ? find_held_lock+0x32/0x90\n[ 324.702134] idpf_set_rx_mode+0x317/0x390 [idpf]\n[ 324.702152] __dev_open+0x3f8/0x870\n[ 324.702159] ? __pfx___dev_open+0x10/0x10\n[ 324.702174] __dev_change_flags+0x443/0x650\n\u003c..\u003e\n[ 324.702208] netif_change_flags+0x80/0x160\n[ 324.702218] do_setlink.isra.0+0x16a0/0x3960\n\u003c..\u003e\n[ 324.702349] rtnl_newlink+0x12fd/0x21e0\n\nThe sequence is as follows:\n\trtnl_newlink()-\u003e\n\t__dev_change_flags()-\u003e\n\t__dev_open()-\u003e\n\tdev_set_rx_mode() - \u003e # disables BH and grabs \"dev-\u003eaddr_list_lock\"\n\tidpf_set_rx_mode() -\u003e # proceed only if VIRTCHNL2_CAP_MACFILTER is ON\n\t__dev_uc_sync() -\u003e\n\tidpf_add_mac_filter -\u003e\n\tidpf_add_del_mac_filters -\u003e\n\tidpf_send_mb_msg() -\u003e\n\tidpf_mb_clean() -\u003e\n\tidpf_ctlq_clean_sq() # mutex_lock(cq_lock)\n\nFix by converting cq_lock to a spinlock. All operations under the new\nlock are safe except freeing the DMA memory, which may use vunmap(). Fix\nby requesting a contiguous physical memory for the DMA mapping."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:27:05.801Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/9a36715cd6bc6a6f16230e19a7f947bab34b3fe5"
},
{
"url": "https://git.kernel.org/stable/c/dc6c3c2c9dfdaa3a3357f59a80a2904677a71a9a"
},
{
"url": "https://git.kernel.org/stable/c/b2beb5bb2cd90d7939e470ed4da468683f41baa3"
}
],
"title": "idpf: convert control queue mutex to a spinlock",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38392",
"datePublished": "2025-07-25T12:53:37.175Z",
"dateReserved": "2025-04-16T04:51:24.011Z",
"dateUpdated": "2026-05-11T21:27:05.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37823 (GCVE-0-2025-37823)
Vulnerability from cvelistv5 – Published: 2025-05-08 06:26 – Updated: 2026-05-11 21:15
VLAI?
EPSS
Title
net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
Similarly to the previous patch, we need to safe guard hfsc_dequeue()
too. But for this one, we don't have a reliable reproducer.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 68f256305ceb426d545a0dc31f83c2ab1d211a1e
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 2f46d14919c39528c6e540ebc43f90055993eedc (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < da7936518996d290e2fcfcaf6cd7e15bfd87804a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 11bccb054c1462fb069219f8e98e97a5a730758e (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 76c4c22c2437d3d3880efc0f62eca06ef078d290 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c6f035044104c6ff656f4565cd22938dc892528c (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c6936266f8bf98a53f28ef9a820e6a501e946d09 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6ccbda44e2cc3d26fd22af54c650d6d5d801addf (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:55:56.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "68f256305ceb426d545a0dc31f83c2ab1d211a1e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "2f46d14919c39528c6e540ebc43f90055993eedc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "da7936518996d290e2fcfcaf6cd7e15bfd87804a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "11bccb054c1462fb069219f8e98e97a5a730758e",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "76c4c22c2437d3d3880efc0f62eca06ef078d290",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c6f035044104c6ff656f4565cd22938dc892528c",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c6936266f8bf98a53f28ef9a820e6a501e946d09",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6ccbda44e2cc3d26fd22af54c650d6d5d801addf",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_hfsc.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.12"
},
{
"lessThan": "2.6.12",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.237",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.181",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.89",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.26",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.14.*",
"status": "unaffected",
"version": "6.14.5",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.15",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.293",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.237",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.181",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.136",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.89",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.26",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.5",
"versionStartIncluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15",
"versionStartIncluding": "2.6.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too\n\nSimilarly to the previous patch, we need to safe guard hfsc_dequeue()\ntoo. But for this one, we don\u0027t have a reliable reproducer."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:15:49.957Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/68f256305ceb426d545a0dc31f83c2ab1d211a1e"
},
{
"url": "https://git.kernel.org/stable/c/2f46d14919c39528c6e540ebc43f90055993eedc"
},
{
"url": "https://git.kernel.org/stable/c/da7936518996d290e2fcfcaf6cd7e15bfd87804a"
},
{
"url": "https://git.kernel.org/stable/c/11bccb054c1462fb069219f8e98e97a5a730758e"
},
{
"url": "https://git.kernel.org/stable/c/76c4c22c2437d3d3880efc0f62eca06ef078d290"
},
{
"url": "https://git.kernel.org/stable/c/c6f035044104c6ff656f4565cd22938dc892528c"
},
{
"url": "https://git.kernel.org/stable/c/c6936266f8bf98a53f28ef9a820e6a501e946d09"
},
{
"url": "https://git.kernel.org/stable/c/6ccbda44e2cc3d26fd22af54c650d6d5d801addf"
}
],
"title": "net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-37823",
"datePublished": "2025-05-08T06:26:16.839Z",
"dateReserved": "2025-04-16T04:51:23.947Z",
"dateUpdated": "2026-05-11T21:15:49.957Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-53305 (GCVE-0-2023-53305)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:11 – Updated: 2026-05-11 19:42
VLAI?
EPSS
Title
Bluetooth: L2CAP: Fix use-after-free
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: L2CAP: Fix use-after-free
Fix potential use-after-free in l2cap_le_command_rej.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
71fb419724fadab4efdf98210aa3fe053bd81d29 , < e76bab1b7afa580cd76362540fc37551ada4359b
(git)
Affected: 71fb419724fadab4efdf98210aa3fe053bd81d29 , < 1a40c56e8bff3e424724d78a9a6b3272dd8a371d (git) Affected: 71fb419724fadab4efdf98210aa3fe053bd81d29 , < fe49aa73cca6608714477b74bfc6874b9db979df (git) Affected: 71fb419724fadab4efdf98210aa3fe053bd81d29 , < 2958cf9f805b9f0bdc4a761bf6ea281eb8d44f8e (git) Affected: 71fb419724fadab4efdf98210aa3fe053bd81d29 , < 548a6b64b3c0688f01119a6fcccceb41f8c984e4 (git) Affected: 71fb419724fadab4efdf98210aa3fe053bd81d29 , < 149daab45922ab1ac7f0cbeacab7251a46bf5e63 (git) Affected: 71fb419724fadab4efdf98210aa3fe053bd81d29 , < 255be68150291440657b2cdb09420b69441af3d8 (git) Affected: 71fb419724fadab4efdf98210aa3fe053bd81d29 , < f752a0b334bb95fe9b42ecb511e0864e2768046f (git) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-53305",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T18:23:06.561439Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T18:32:56.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "e76bab1b7afa580cd76362540fc37551ada4359b",
"status": "affected",
"version": "71fb419724fadab4efdf98210aa3fe053bd81d29",
"versionType": "git"
},
{
"lessThan": "1a40c56e8bff3e424724d78a9a6b3272dd8a371d",
"status": "affected",
"version": "71fb419724fadab4efdf98210aa3fe053bd81d29",
"versionType": "git"
},
{
"lessThan": "fe49aa73cca6608714477b74bfc6874b9db979df",
"status": "affected",
"version": "71fb419724fadab4efdf98210aa3fe053bd81d29",
"versionType": "git"
},
{
"lessThan": "2958cf9f805b9f0bdc4a761bf6ea281eb8d44f8e",
"status": "affected",
"version": "71fb419724fadab4efdf98210aa3fe053bd81d29",
"versionType": "git"
},
{
"lessThan": "548a6b64b3c0688f01119a6fcccceb41f8c984e4",
"status": "affected",
"version": "71fb419724fadab4efdf98210aa3fe053bd81d29",
"versionType": "git"
},
{
"lessThan": "149daab45922ab1ac7f0cbeacab7251a46bf5e63",
"status": "affected",
"version": "71fb419724fadab4efdf98210aa3fe053bd81d29",
"versionType": "git"
},
{
"lessThan": "255be68150291440657b2cdb09420b69441af3d8",
"status": "affected",
"version": "71fb419724fadab4efdf98210aa3fe053bd81d29",
"versionType": "git"
},
{
"lessThan": "f752a0b334bb95fe9b42ecb511e0864e2768046f",
"status": "affected",
"version": "71fb419724fadab4efdf98210aa3fe053bd81d29",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/bluetooth/l2cap_core.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.14"
},
{
"lessThan": "3.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.324",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.293",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.255",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.192",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.128",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.47",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.324",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.293",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.255",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.192",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.128",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.47",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.12",
"versionStartIncluding": "3.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"versionStartIncluding": "3.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free\n\nFix potential use-after-free in l2cap_le_command_rej."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:42:22.586Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/e76bab1b7afa580cd76362540fc37551ada4359b"
},
{
"url": "https://git.kernel.org/stable/c/1a40c56e8bff3e424724d78a9a6b3272dd8a371d"
},
{
"url": "https://git.kernel.org/stable/c/fe49aa73cca6608714477b74bfc6874b9db979df"
},
{
"url": "https://git.kernel.org/stable/c/2958cf9f805b9f0bdc4a761bf6ea281eb8d44f8e"
},
{
"url": "https://git.kernel.org/stable/c/548a6b64b3c0688f01119a6fcccceb41f8c984e4"
},
{
"url": "https://git.kernel.org/stable/c/149daab45922ab1ac7f0cbeacab7251a46bf5e63"
},
{
"url": "https://git.kernel.org/stable/c/255be68150291440657b2cdb09420b69441af3d8"
},
{
"url": "https://git.kernel.org/stable/c/f752a0b334bb95fe9b42ecb511e0864e2768046f"
}
],
"title": "Bluetooth: L2CAP: Fix use-after-free",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-53305",
"datePublished": "2025-09-16T16:11:44.845Z",
"dateReserved": "2025-09-16T08:09:37.994Z",
"dateUpdated": "2026-05-11T19:42:22.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-38566 (GCVE-0-2025-38566)
Vulnerability from cvelistv5 – Published: 2025-08-19 17:02 – Updated: 2026-05-11 21:30
VLAI?
EPSS
Title
sunrpc: fix handling of server side tls alerts
Summary
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix handling of server side tls alerts
Scott Mayhew discovered a security exploit in NFS over TLS in
tls_alert_recv() due to its assumption it can read data from
the msg iterator's kvec..
kTLS implementation splits TLS non-data record payload between
the control message buffer (which includes the type such as TLS
aler or TLS cipher change) and the rest of the payload (say TLS
alert's level/description) which goes into the msg payload buffer.
This patch proposes to rework how control messages are setup and
used by sock_recvmsg().
If no control message structure is setup, kTLS layer will read and
process TLS data record types. As soon as it encounters a TLS control
message, it would return an error. At that point, NFS can setup a
kvec backed msg buffer and read in the control message such as a
TLS alert. Msg iterator can advance the kvec pointer as a part of
the copy process thus we need to revert the iterator before calling
into the tls_alert_recv.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Affected:
5e052dda121e2870dd87181783da4a95d7d2927b , < b1df394621710b312f0393e3f240fdac0764f968
(git)
Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 25bb3647d30a20486b5fe7cff2b0e503c16c9692 (git) Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 3b549da875414989f480b66835d514be80a0bd9c (git) Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < 6b33c31cc788073bfbed9297e1f4486ed73d87da (git) Affected: 5e052dda121e2870dd87181783da4a95d7d2927b , < bee47cb026e762841f3faece47b51f985e215edb (git) |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svcsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "b1df394621710b312f0393e3f240fdac0764f968",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "25bb3647d30a20486b5fe7cff2b0e503c16c9692",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "3b549da875414989f480b66835d514be80a0bd9c",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "6b33c31cc788073bfbed9297e1f4486ed73d87da",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
},
{
"lessThan": "bee47cb026e762841f3faece47b51f985e215edb",
"status": "affected",
"version": "5e052dda121e2870dd87181783da4a95d7d2927b",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sunrpc/svcsock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.4"
},
{
"lessThan": "6.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "6.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator\u0027s kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert\u0027s level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:30:34.423Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/b1df394621710b312f0393e3f240fdac0764f968"
},
{
"url": "https://git.kernel.org/stable/c/25bb3647d30a20486b5fe7cff2b0e503c16c9692"
},
{
"url": "https://git.kernel.org/stable/c/3b549da875414989f480b66835d514be80a0bd9c"
},
{
"url": "https://git.kernel.org/stable/c/6b33c31cc788073bfbed9297e1f4486ed73d87da"
},
{
"url": "https://git.kernel.org/stable/c/bee47cb026e762841f3faece47b51f985e215edb"
}
],
"title": "sunrpc: fix handling of server side tls alerts",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38566",
"datePublished": "2025-08-19T17:02:42.506Z",
"dateReserved": "2025-04-16T04:51:24.025Z",
"dateUpdated": "2026-05-11T21:30:34.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…